It is not just pointless to build an IN statement from your Contains . At the very least, this will avoid single quotes (by doubling them). Suppose you want to enter something like ") OR 1 = 1--" as suggested in the comments, assuming it will be converted to:
where ... IN ('') OR 1 = 1 -- the rest
But since single quotes are escaped, this will be:
where ... IN (''') OR 1 = 1 --' -- the rest
So, we are safe here because your whole statement is treated as a string.