Well, the thing is that SET ROLE changes your security permissions you should never use arguments that come from an untrusted input, if you do, you already caused a security vulnerability, SQL injection or not.

It looks like lack of quote_ident is a feature here because it makes you think "what the heck I'm doing?".