Ok, done some more digging/reading.
The sanitize_meta function I mentioned above simply adds a filter that you can then hook to do custom sanitization. As per the codex function – it doesn’t do any sanitization itself. So that’s kind of irrelevant.
However, further down, the actual DB update is done using $wpdb->update, which does escape the data.
What I’m not entirely sure yet is whether one then needs to do any additional sanitization. Also whether I’m ok to use the_field, get_field etc as-is when outputting data, or whether these need escaping?
This post was helpful: http://wordpress.stackexchange.com/questions/44807/sanitize-vimeo-embed-code
