Does PDO use html special characters by default?
No; PDO is a database library and therefore does not care about HTML. If you display data from your database on a web page, you still need to output HTML code to display.
Just to clarify, if you use prepared statements, I almost do not give in to injection?
Until you interpolate the values โโdirectly into your queries, then yes - you are not vulnerable to SQL injection.