No, you don’t need to escape hardcoded values.
As I understand it, if the URL doesn’t have an input via admin, it
should be okay.
Not necessarily. There’s many more potential sources of potentially malicious (or just accidentally broken) output that need to be accounted for, such as:
- Translations.
- Query strings ($_GET)
- Cookies.
- WordPress filters.
So generally you should escape any values output from most, if not all, functions and variables.