Why on earth are people using string concatenation? Surely $wpdb->get_results should be deprecated in favour of something that accepts parameterised queries?
Why in the hell are people still injecting strings into queries? In 2021??!
There is no excuse to concatenate the id into the query string, but the first parameter, the table prefix is not something you can do with parametrized queries. There are probably better ways to abstract this, but in the end if you need to dynamically determine the tables or columns you have to concatenate that stuff into your SQL query string.
You're supposed to build the string with $wpdb::prepare[1] before running it through get_results. This will prevent SQLi. It's been available and recommended for like a decade, and any WP code linter will yell at you if you're just building queries out of random concatenated strings.
Why in the hell are people still injecting strings into queries? In 2021??!