http://rails-sqli.org/ lists surprising SQL injection risks in regular ActiveRecord methods. It has been now been updated to include coverage of Rails 5.

Spoiler alert: unfortunately, all the same methods are still vulnerable when used with unsafe input. No new methods have been found to be unsafe - if you know of any please open an issue.