Yes, the DBI documentation says that only one command should be run at a time. That is more of a recommendation of how the DBI is intended to be used. It is not necessarily descriptive of what will be accepted. Whether multiple commands are accepted is up to the individual drivers and databases:

In ODBC terms, the DBI is in "pass-thru" mode, although individual drivers might not be.

I have seen DBD::Mysql and DBD::Sybase accept multiple commands at a time. I don't know about other drivers.

But, as you say, unless there's a bug in the quoting code, placeholders are quite safe. They won't necessarily prevent you from running multiple commands at once, but they will prevent user-supplied data from being interpreted as SQL commands.