I’ve worked with a bunch of government agencies and the chances of a SQL injection are low. Not because they’re good, but because they’ll use some kind of framework to speed up development which will have injection prevention baked in.