Any input passed to jq(text,text) is directly passed through to jq's internal compiler, so it's a job left for that.
Now, can jq be used for SQL injection in an SQLite context? That's interesting in theory, but I'd assume any decent driver would validate its input as data and not code.
Is there any way to write "malicious" jq code (endless loops, IO, …)?