Yes, all values passed to create() are properly quoted for insertion into the database, so you're protected from SQL injection attacks.
However, they are not "sanitized" beyond that, so you need to of course be careful when you send them back to the view to properly escape them. This is obviously not the bailiwick of ActiveRecord...