Hey there, for anyone that is wondering as well.
ACF does use add_query_arg(), but neither of the two places this is used depends on user input. The vulnerability reported by Sucuri was has to do with using user input without escaping it when using this function.
~JH
