Why doesn't the $1 syntax work for all queries?

I tried to do this: COPY postgres_log FROM $1 WITH csv; And with a separately sent file path, like I make all normal queries (SELECT/UPDATE/INSERT/DELETE). However, it gives: ERROR: syntax error at or near "$1" Um... So does that mean that I'm forced to send it a scary string like this? COPY postgres_log FROM '/full/path/to/logfileblablabla.csv' WITH csv; If so, why? Why don't all query types support the parameterized queries interface? Isn't this like *asking* to enable SQL query injection vulnerabilities?