What do you mean by "bound param are the default"? When you construct an sql query it is you, the programmer, who writes it and decides to use bound parameters. Even when you use PDO and prepare a statement there is nothing that forces you to bind a param - you are still free to inject plain unescaped values into sql. It's you who has to remember to put a placeholder in your query and then bind a value to it. If you don't, your code is vulnerable to injections despite using PDO. Considering this, I can't see much difference between remembering to bind params or escape values.
You mention creating a wrapper class over PDO, well I do similar, as I am sure many others do.
This is typical of what I end up doing:
// where I have removed from $_POST the unwanted vars
// and satisfied myself that the remainder are within
// my tolerances
$this->BusinessesManager->addNew( $_POST );
Thanks to the POST vars containing both the name of the database field and the value, then it makes a lot of sense to keep them together and feed them to something that just inserts or updates the database.
Now you are going a bit off-topic here. Yes, I mentioned using a wrapper class but as a general rule to make coding more convenient, it has nothing to do with using prepared statements vs mysqli_escape_string(). Even if inserting from $POST looks as simple as you have presented above, somewhere deeper in your code your wrapper class has to prepare the statement and bind values. Who wrote the wrapper class? If you did then you had to consciously choose to bind values in the right place to avoid sql injections. It's still the same as choosing to use mysqliescape_string() - in both cases it's not done by default, the programmer has to code it, even if it's only in one place somewhere in a wrapper method for all sql queries.
I hardly write sql anymore.
I never worry about correctly escaping values going into my database because the default uses this PDO wrapper and its bound params, and as such sleep at night very well.
If you hardly write sql anymore then the difference between mysqli_escape_string() and binding params matters even less, because the protection against injection is handled automatically somewhere in your wrapper class and you don't have to think about it in most cases. If you had used mysqli_escape_string() as a protection, then your code above would not have changed at all.
My point is simple: PDO doesn't provide any protection "by default", you still have to remember to bind params just as you had to remember to use mysqli_escape_string(). And I don't see any difference in protection strength between these two (Felgall says otherwise, I'm still open to learn what's vulnerable about sending sql with the use of mysqli_escape_string).