Shooting any unsanitized input into your application is bad. template strings don't make this worse. any_func(attacker_provided) is even worse then any_func(t"{attacker_provided}") since in the later case you actually have reduced the attack surface to just strings.