I don’t know how to validate a site’s form.
The question is filter_var is enough?
Yes indeed, as explained above. JS validation is just for convenience (user gets prompted without page refreshes). But the user can turn off JS with the click of a button, and bots can bypass it too. So in terms of security, it’s like putting a protective fence around your house by no lock on the gate.