Yeah, when a function is called as a "tagged template literal"[1] the function takes control over how the parameters are handled. Postgres.js uses this to replace the value with $1, $2, etc and send over the value as parameters to the database, thereby preventing any chance of SQL injection[2].

[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe... [2] https://github.com/porsager/postgres#await-sql---result