I don't think you understand what the code is doing. That's a string templating function, not a raw templated string. `${formData.get('name')}` will get passed as a parameter in a var-arg, not stuck straight into the string.
I mean that node-posgres doesn't encourage anyone to include parameter values through string concatenation, at least no more than porsager or other SQL-based clients.
Not sure what ORMs have to do with it. They do include a safe parameter substitution mechanism, but so do typical SQL-based clients.
It doesn't explicitly encourage you to do it, but it's very much right there - waiting to happen because you always just pass a string to the query function? In Postgres.js you have to use a function that is specifically named `unsafe` to do that.
The examples on https://node-postgres.com/features/queries clearly show how to use parametrized queries. Of course you /can/ concatenate strings, no library in the JS land will prevent you from doing that. But the examples are pretty clear how to do it correctly.