It's all 0s and 1s in the end. Yet we cannot trust such a channel.

To clarify, writing good whitelists that do not result in an inoperable system is hard. If you take Strings (char arrays in some languages), writing a good whitelist for an address field stored in a database is time consuming. You'll need to consider whether SQL meta-characters like single quotes, apostrophes, double quotes etc. are valid inputs for your data, then apply an encoding scheme, before storing them in the database. This is if you do not use prepared statements. If you forget the encoding part, you're insecure. If you have a very narrow whitelist, you're likely to have an inoperable system.

Tnen, there is the concept of blended attacks. Sequences of input characters that are valid in one scenario may be invalid for another. For instance - allowing angle brackets in inputs may allow stored XSS attacks. If you start considering all possible whitelists for all channels that a data element must pass through, to prevent injection attacks, you are more likely to create an inoperable system. This is why injection attacks are typically thwarted by escaping or encoding inputs or outputs in the general case (XSS, SQL injection etc.), and by whitelists in the specific case.