The accepted answer is not clear enough. Here is what the official documentation states:

[...] data should always be passed separately and not as part of the SQL string itself. This is integral both to having adequate security against SQL injections as well as allowing the driver to have the best performance.

https://docs.sqlalchemy.org/en/20/glossary.html#term-bind-parameters

Meaning: SQLAlchemy queries are safe if you use ORM Mapped Classes instead of plain strings (raw SQL). You can find official documentation here.