Catalyst proper contains no SQL handling whatsoever. It's mostly just a dispatch framework with hooks for arranging various pieces into controllers, models, and views.

While adding in those parts it will be your responsibility to choose prefab/drop-in components that are secure or to write your own. DBIx::Class is a commonly used model driver, e.g., which is secure if used properly. It runs SQL parameters through DBI binding, for example.

If you have concerns about a particular piece or plugin, definitely bring them up on the Catalyst mailing list. You'll likely be soothed and if you discover a real issue, you'll see developers jump to fix it. A lot of very smart hackers work with Catalyst so the odds that it and its major extensions are safe are higher than they would be rolling your own; even if you were smarter than all of them. :) More eyes, more hands, more test suites, more live deployments.