Pretty much every SQL injection attack is going to need to be injecting single quotes with some uncompliant lack of parameterization someone put together.
Simply using parameterized queries solves this problem, no amount of semicolons can escape it.
Yes, totally agree. There are many good SQL libraries now that used things like tagged templates (e.g. sql`SELECT * FROM foo WHERE bar = ${zed}`) that make it virtually impossible to not use parametrized queries.
But my primary point is that I still believe it makes sense to type string inputs as restrictively as possible, not just for SQL injections but also for other types of potential vulnerabilities. E.g. if you're taking a date string that you expect to be in YYYY-MM-DD format, it's best to type that string as such as furthest out as the edge as possible.
Simply using parameterized queries solves this problem, no amount of semicolons can escape it.