On the subject of Cypher injection, usage of parameters is always preferred over string appending (either within Cypher itself or when assembling the query client-side). Parameters are never allowed to be interpreted as part of the query and have no means of escaping out of being anything other than a value of some sort.
There are some points of vulnerability though that you should be aware of.
Our fulltext schema indexing (which is different than our regular schema indexes) use lucene, and expect lucene query strings, and those query strings can accept boolean logic and wildcard characters and more, allowing a query string to be formatted that can return more or different data than expected (as long as that data is in the index being queried). That can happen with a string parameter. But it still cannot break of the index call and do arbitrary Cypher operations. (a thread on this here: Preventing SQL injection when using neo4j full text search)
The largest point of vulnerability is when you're executing Cypher query strings, as you are forced to do if using certain APOC procedures (apoc.periodic.iterate(), apoc.cypher.run(), apoc.cypher.doIt(), the conditional procs like apoc.when(), etc). Since you're assembling a Cypher query string for execution, any means of string appending is vulnerable to Cypher injection. There are ways to pass parameters into the proc and use those parameters within the proc safely. But whenever you're explicitly appending strings together there's potential for injection.