Any piece of data you get from the user (or any other external source) and pass to another system or another user is a potential exploit.
If you get a string from the user and display it to another user without using HtmlEncode it's a potential exploit.
If you get a string from the user and use it to construct SQL it's a potential SQL injection.
If you get a string from the user and use it to contract a file name for Process.Start or Assembly.Load it's a remote execution vulnerability
You get the point, the danger comes from using unsanitized data, if you never pass user input to external system without sanitizing it (example: HtmlEncode) or using injection-safe interfaces (example: SQL parameters) you are relatively safe - the minute you forget to sanitize something the most innocent-looking method can become a security vulnerability.
Note: cookies, html headers and anything else that passes over a network is also data from the user, in most cases even data in your database is data from the user.
