Ideally the the query method would work like that:

c.query("select value from measurement where tag = :value", value="untrusted input")

where value gets escaped and discourage the use of:

c.query("select value from measurement where tag = %s" % "untrusted input")

Reason is that people might use this in their application where values comes in they not control
and we end up with something like xkcd 327: https://xkcd.com/327/
I am not an expert on SQL injection as there are some nasty edge cases, but maybe somebody in the community is. I think, libraries should make it hard for users to make mistakes.
This is not only security relevant. Those stuff can happen also unintentionally as in #309