Your examples of sanitizing input aren’t really valid. In
cli-app -al ; rm -rf /,
rm -rf / isn’t being passed to cli-app at all. So, it couldn’t sanitize that input in any case.
A better example would be if you were using a database, and one of your arguments were passed to the database without first being sanitized. That could leave you open to a SQL injection.