It’s always a good idea to sanitize values being accepted from the user. A WP_Customize_Cropped_Image_Control will populate its associated setting with an attachment ID. Thus you could use absint as the sanitizing function.
Remember that esc_attr is an escaping function and should only be used when printing out a value to the page, and here particularly in an HTML attribute. Note also that esc_url_raw() is not an escaping function, despite its name, but rather is actually a sanitizing function.
