What the identifier does is really delaying one level of evaluation, and that's the only way to prevent injection.
For static/known text, we can delay one level of evaluation using things like $+ and $!ident, but for unknown text abstracted by a local identifier/%variable such as $1-, we can't because we need to get its content during the evaluation of the timer command:
//timer 3 1 echo -a $time - $!time - $ $+ time
Vs
//tokenize 32 dangerous $!me | timer 1 1 echo -a $1- - $ $+ 1- - $unsafe($1-)