I think that SQLi is not really related to this discussion. It is very easy for a SQL builder to correctly escape all sorts of literals, so it can handle this transparently. I mean, you're handling it just the same when using cb.literal(). Btw, using a String literal in a predicate generates a bind variable: cb.equal(from.get("title"), cb.literal("abc")...

A configuration option would definitely be a pragmatic way forward.