Current implementation of \helper_plugin_sqlite::query escapes all the arguments as a string literals and it cannot be used to escape identifiers (as for example ORDER BY $something) which force programmers to concatenate the identifiers directly into SQL query string which may lead to security issue.
According to: https://sqlite.org/lang_keywords.html SQLite distinguish between two string quotations:
Current implementation of \helper_plugin_sqlite::query escapes all the arguments as a string literals and it cannot be used to escape identifiers (as for example ORDER BY $something) which force programmers to concatenate the identifiers directly into SQL query string which may lead to security issue.