wpdb prepare without placeholder

Short answer:
You should use the way described in the documentation, sanitize anything that goes in an SQL query, and always use prepared statements.

Slightly longer answer:
The main use of $wpdb->prepare() is to prevent against SQL injection attacks.
Here, we don’t know where 'foo', 1337 and '%bar' come from. And that’s somewhat the deciding factor.

From a security perspective:

  • If it doesn’t come in any way (even indirect) from user input, it’s ok not to use prepared statements
  • If it comes from user input, even indirectly, the prepared statement is required
  • Most importantly, no one can predict the future: these variables’ value may not, directly or indirectly, come in any way from user input, but an update down the line might change that.