You already appear to have a discussion started at https://github.com/oracle/node-oracledb/issues/1236
And, if so, I had already replied via email that "You should use bind variables as much as possible. They are important for scalability and security. There are only a few cases not to use them." You can google any Oracle resource about using bind variables. They are not unique to node-oracledb.
I suggest you follow up using your GitHub issue. Thanks!