Uhhhh, you should be extremely careful with string interpolation around DB statements. The code sample you posted is pretty much a textbook case of a SQL injection vulnerability if the value of ${baz} is ever provided by a user.
No, it isn't... db.query method recieves the parameters separately from the string parts and will turn it into a parameterized query. You're confusing/conflating db.query`...` with db.query(``);
Can understand that... in general, have fought vigorously against ORMs (and DI/IoC tooling) in JavaScript, and use Dapper in C# with similar interfaces.
The template methods have allowed for some really powerful adaptations. Mostly in Database/SQL, XML/HTML, and JSS interpreters.
