The vast majority of database entries are generated by the wallet and do not contain anything that the user can enter. Things that users can enter are generally validated prior to writing to the database, e.g. descriptors imported with
importdescriptors must be valid descriptors before they are written.
The sole exception are labels which, by definition, contain user generated data. As such, if the record writing were implemented incorrectly, a user could use
setlabel to perform a SQL injection attack. This is because the label string provided to
setlabel must be provided directly to the SQL query that actually adds it to the database.
However Bitcoin Core’s use of sqlite prevents SQL injection attacks. Bitcoin Core uses prepared statements so it is not possible to perform a SQL injection, barring some implementation error on the side of sqlite. These statements are prepared at the time the wallet is loaded. They are fixed queries and cannot be modified by the user.