That depends entirely on what is being appended to the query and where.
If you're appending to the query itself, and not just as a value, then all bets are off, as the appended string is intended to be part of the executing query. This is the most dangerous case, when user input (or even graph data input, as a user may have saved malicious data into the graph properties used) is already in a position to take control of a query.
For appending values, if handling it as a string (whether to be used as a string value, or cast to another tiype), we're expecting a string value, and we should be handling the quotes in the query itself, not the provided value, so we need to ensure it can't escape its context as a string. Filtering out quote characters of the given surrounding type (so it can't escape its context) is the way to go.