The documentation is very unclear on this. Or at least, badly worded. In one paragraph it says that Phalcon does this for you, then a few paragraphs later, it says you should use "bound paramaters" to safegurad against SQL injections.
I was under the impression Phalcon did this for you as well until reading this thread. But after reading the documentation again, I realized it's quite clear on this:
Bound parameters are also supported in Phalcon\Mvc\Model. Although there is a minimal performance impact by using bound parameters, you are encouraged to use this methodology so as to eliminate the possibility of your code being subject to SQL injection attacks.
This comes right after the section on filtering resultsets, so it means: when reading from the database, you should use bound parameters to avoid SQL injection. See Binding Parameters.
The part that may confuse beginners comes a little bit later under Creating/Updating Records:
Values assigned directly or via the array of attributes are escaped/sanitized according to the related attribute data type. So you can pass an insecure array without worrying about possible SQL injections:
Then under Avoiding SQL Injections:
Every value assigned to a model attribute is escaped depending of its data type. A developer doesn’t need to escape manually each value before storing it on the database. Phalcon uses internally the bound parameters capability provided by PDO to automatically escape every value to be stored in the database.
In other words: when saving to the database, you don't need to worry about using bound parameters because Phalcon does this for you.