Are we still passing SQL statements and data to the SQL back end as single string instead of passing them separately? Why would you even need to escape SQL data in 2024?
One example that I found is that some libraries/databases don't allow DDL statements to be parameterised - so if you are managing tables and columns from code and those names came from end users then you should be checking them.