wpdb::insert will only ensure that data is inserted safely (i.e prevents against SQL injection). It will not sanitize your data (e.g. stripping certain/all HTML), that’s down to you.
You can either use wp_strip_all_tags, which removes all HTML, or a variation of wp_kses, which is a sophisticated library for removing certain (x)HTML tags & entitites.
The output of wpdb->last_query is:
You’ve been tricked! The reason you don’t see <script>alert(\'hello\')</script> is because it’s being parsed by the browser when you output it – if you escape your debug output you’ll see the two are the same:
<?php echo esc_html( $wpdb->last_query ) ?>