Do the parameters of a string passed to the @Query annotation, for Spring, get treated as pure data as they would if, for example, you were using the PreparedStatement class or any method meant to prevent SQL injection?
String MY_QUERY = "SELECT * FROM some_table WHERE some_column = ?1";
@Query(value=MY_QUERY, nativeQuery = true)
List<SomeEntity> findResults(String potentiallyMaliciousUserInput);
It looks like Spring Data's
@Query is just a wrapper around JPA
See this SO answer: Are SQL injection attacks possible in JPA?