Just wanted to get a straight answer on this: when submitting query_vars to a call to get_posts or WP_Query, is sanitation needed or does WordPress already take care of that?
1
No. Parameters given to the WP_Query object only need to be escaped for the database query – this is handled by WordPress.