TLDR: No parameters need to escaped.
The below assumes no third-party code hooked into any filters run by the wp_get_attachment_image() function or sub-function calls:
$attachment_id (parameter 1)
This is used to get the attachment post and reference it in other functions. This parameter is not used in direct output and thus does not need to be escaped.
$size (parameter 2)
This is used in the class attribute of the <img> tag (if class attribute is not defined by parameter 4, $attr:
$size_class = $size;
if ( is_array( $size_class ) ) {
$size_class = implode( 'x', $size_class );
}
$default_attr = array(
'src' => $src,
'class' => "attachment-$size_class size-$size_class",
The output of these attributes are then escaped in the function by the line:
$attr = array_map( 'esc_attr', $attr );
$icon (parameter 3)
This parameter is only used to be passed to a child call to wp_get_attachment_image_src(). In this function, the $icon parameter is only used as a boolean check. Thus, this parameter is not used in direct output or unguarded SQL queries and thus does not need to be escaped.
$attr (parameter 4)
wp_get_attachment_image() adds some extra attributes for optimizations and such. These are merged into $attr. The attributes are then escaped in the function by the line:
$attr = array_map( 'esc_attr', $attr );