Makes sense. Problem is, that, again, the application would be responsible of making sure the individual values don't contain nasty stuff (for example, if they are strings) before consolidating them to one PostgreSQL array literal.
So long as you actually pass the literal value via a parameter the worst problem you can have is a syntax error in converting the literal into whatever type is being cast to.
I personally tend to just build up a CSV-like string (my data is usually controlled enough the using the pipe symbol as a separator alleviates escaping concerns) and using string_to_array($1,'|') to get the array of values into the query.
