Frankly, this is almost entirely speculative. I don't see any viable exploits through either of these codepaths. But automated tooling doesn't see the implicit constraints on these values, so might as well do more sanitization.