Input sanitization for OCP methods/injection attacks

Hi folks!
I’m writing my first Nextcloud server plugin where I take client-supplied data (URL path) and feed it to the OCP methods. Is this API protected against malicious payloads (e.g. injection attacks) or are developers expected to sanitize input before passing data on to these methods? The security guidelines do not state anything about that. I would expect there to be a trust boundary, but I’d prefer to know rather than assume when it’s about security.

(I do not perform raw database, filesystem or shell operations, and do not reflect client-controlled parameters back on the page. If I would, the responsibility would clearly lie with me.)

Thanks and regards,
Ion