Do I need to apply an escape function to VARCHAR2 to prevent any risk of SQL injection? Is that done automatically for form fields where I do not handle the data?
Forms uses binds for DML operations, so you don't have to escape strings as long as you don't code your own DML operations, e.g. in a PRE-INSERT trigger.
This only means that the way from the mask to the database is not prone to SQL injection. You still have to take care that the further processing of the data uses binds or escapes the strings, e.g. when you use dynamic SQL without binds in a stored procedure or when you embed the string in a HTML output.