Erik Darling bears the bad news:
If you’re using an Entity Framework, and sending in queries that build up IN clauses, they won’t end up getting parameterized.
Even Forced Parameterization won’t help you if you’re sending in other parameters. One limitation is that it doesn’t kick in for partially parameterized queries.
Even if they did get parameterized, well, what’s one funny thing about IN clauses? You don’t know how many values will be in them.
Read on for a couple of work-arounds for this.