There's no risk of injection as the values are quoted, no. Of course it's worth validating any input is roughly what you'd expect (an array of integers) but that's true of prepared statements too.
// fetch row using prepared statements
$ids = array(1,2,3,4,5,6);
$row = $db->fetchRow(
'SELECT some_column
FROM xf_some_table
WHERE id in (?)',
[implode(',',$ids)]
);