To be very clear, a properly written sql tag, or for that matter a tag for some other DSL, should not suffer from injection attacks in its usage. This is because the tag function can clearly delineate between text from the template, which can be trusted; and the interpolations, which have to be quoted, bound, or otherwise worked with.
It seems possible for a plugin for an IDE to support this for some arbitrary tag and its associated DSL. IDEs track explicit definitions/imports to determine the source of a name; and in principle, they presumably could call a registered plugin on specific usage in a tagstring. It would be very cool if they could do this, especially because language support is already available for so many DSLs that could be used - HTML, SQL, shell, etc - they would just need to take into account any interpolations that are used; and work around that.
It’s a good question. Here’s one possible answer with respect to name collisions. I will often use f as generic function name, or for a throwaway function when using the REPL. But I have never confused that usage with using a f-string. That’s one anecdote, but my feeling here is that the syntactic position really matters.
In any event, if name collisions are a problem, that’s something an IDE could certainly determine for a user.