It’s always a good idea to sanitize values being accepted from the user. A
WP_Customize_Cropped_Image_Control will populate its associated setting with an attachment ID. Thus you could use
absint as the sanitizing function.
esc_attr is an escaping function and should only be used when printing out a value to the page, and here particularly in an HTML attribute. Note also that
esc_url_raw() is not an escaping function, despite its name, but rather is actually a sanitizing function.