As far as I know wp_localize_script doesn’t escape data any more than is necessary to produce valid JSON, and everything is sent as a string. The function was originally designed to allow translating the strings used in your JS into other languages (hence the “localize” part of the function name). So if the data you’re passing is coming from a user input or is otherwise user-generated then you’ll definitely want to escape it.
