The short answer is “yes”, the longer answer is “it depends”.
Why do you need to validate? because if you have code, which if used with wrong parameters will delete wordpress (very bad example I know), you should made double sure that it is not triggered by some DB corruption, or more likely, misbehaving filter.
Lets look at this code which handles the state of nuclear weapons under trump 😉 which can have the values “dormant”, “ready” and “engaged”. You might think that this code is enough
switch ($nuclear_state) {
case 'dormant':...
break;
case 'ready':....
break;
default : fire();
}
Hopefully no one in his right mind will use the nuclear war option as default in his code, but I hope that this servers as a good illustration as to the risk.
Your code should be
switch ($nuclear_state) {
case 'dormant':...
break;
case 'ready':....
break;
case 'engaged' : fire();
break;
default : exception('something is wrong with the system, notify admin');
}
And simply refuse to act on bad values.
This is why you should write code that does things, in separate from the code that handles getting the parameters for it. When you have an API like
function nuclear_state_change(string $state) {}
It can easily validate that $state makes sense and raise an exception in a way which is portable between all possible flows that might lead to its call (html, json, ajax, xml-rpc) and let the caller handle the exception.
Obviously it would be better for the caller to validate by itself, but the small overhead in coding is totally worth it especially during development when storing and sending wrong values happens more.
So why the “it depends” answer? If you have a full control of your system, you have audited all code and never install any new plugin or upgrade the theme without fully auditing it, maybe it is just an overhead. But this can probably apply only to small non complex one off projects. For complex projects something bad is much more likely to happen at some point in time, and you do not want it to go unnoticed.