Good point. My concern is that this is not exactly safe if the Data Access Layer is unknown or not part of the package.
In my case I'm built on top of Class::DBI so as a 3rd party programmer, I have no idea whether Class::DBI is playing safe using placeholders and quote. Sure, I can look for myself in the source, but what if I change DAL to a completely different layer or module?
When in doubt, the wise decision would still be not to accept any user input unless I'm sure it's safe, long before I pass it into a DAL. For that matter, let's assume there is no DAL. Then sanitizing user input is still my job.