Thanks for pointing that out! I was indeed using PSR-3 loggers incorrectly without knowing it. However, I don't understand how placeholders reduce the security risk.

User supplied data should be sanitised anyway, whether used directly in the log message (which I now know is wrong) or in the context array. What am I missing?

Or is it meant to not sanitise user supplied data and persist whatever comes (including malicious stuff) and let the part of the software that displays the logs and interpolates the placeholders take care of the risk?