Does WordPress validate inputs made to all built-in functions that access the database to protect against SQL injection vulnerabilities or do we have to validate before passing them?
Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
You have to do a lot by yourself. But you also have to check the core code by yourself to see if the current function you’re using is validating it and in which way.