as you point out you can build the sql query. I've not seen any ORM that validates the SQL you pass it to build the query. This is how SQLi happens in the ORM tier.
objects = orm.rawQueryForObjects("select * from people where name = '" + name + "')
Even sqlalchemy has the mechanism I pointed out. I've never seen an ORM not have it because it becomes important if you're putting an ORM on top of a previously designed database or optimising queries.
objects = orm.rawQueryForObjects("select * from people where name = '" + name + "')