SQL injection is the introduction of third-party SQL code into the application code. If something superfluous / malicious appeared in the database, then this is already the result of SQL injection.
There may be data in the database that leads to SQL injections. You don't need to look for them, you need to write code that will prevent an attacker from using them:
php.net/manual/ru/pdo.prepared-statements.php
Maybe. If someone got access to the db. Not the fact that through SQL injection.

Maybe. Second order SQL injection. A certain string is added to the database by a safe query, and it works after it has been selected and reused in an unsafe query. Protection - any variable data, either directly transferred by the user, or taken from the database or configs, should only go through parameterized mysqli or PDO queries.

Theoretically, if from the area of ​​paranoia, then you can make a function and run it with an internal scheduler. But this is absolutely fierce paranoia, especially since this code will be isolated and will be able to work only within its authority and only with data in the database. Look at the scheduler and functions in the database.
To be honest, I have not seen this yet, and if you find it, then share it with the public :)))

Strictly speaking, SQL injection is needed to access the database, if you got access, then there is no point in writing it there

Depending on the curvature of the developers, they can, but more often there will be xss in the database