Thank you.
However, it’s still not possible to say whether this code is vulnerable.
What’s inside $context when executing the first query?
If sonarcloud can tell that it contains user-controlled data, then it raises an issue: please see for yourself.
We try to track data flow quite deep but there are cases where we fail to track user-controlled data: that’s what we call a false negative. If we can see your code (not just the line where the query is run), we can try to see whether an issue should indeed be raised and we can try to improve our analyzer.