For the following pretend that "STRING" has the same behavior as the "format(...)" function.
EXECUTE STRING('COPY %I TO %L', 'testtable', 'testfile.txt');
+1
We should make string sanitization easy so that people use it by default.
In the mean time, if you're just using psql, the new \gexec command will cover that
select format('COPY %I TO %L', 'testtable', 'testfile.txt')
\gexec
but it won't help with any \-commands. And it won't work for schema-qualified table names, and if you're using COPY tab FROM PROGRAM, you're going to have cases where %L finds an escape-y character in the command string (like using head -n 1 and sed to unpivot a header row) which results in an E'...' string that COPY can't handle.
For \copy, I end up doing something like
select format('\\copy %I from program %L',:'table_name','pigz -cd ' || :'file_name') as copy_command
\gset
:copy_command
Which won't win any beauty contests, and suffers from all the limitations I listed earlier, but works for me.
I'm indifferent to whether these commands need to be PREPARE-able so long as sanitization becomes a solved problem.