If so, if my varchar contains ; or [ or the keyward "Create" that will get automatically deleted? I don't think that was this simple, what is the mechanism of parameterization to avoid sql injection?
No, it doesn't remove any characters. Rather, it treats those characters as values rather than as code. If you pass in a string with a semicolon or a quote mark or any other meaningful character/keyword then you'll simply end up with a string value that has that semicolon or quote mark or keyword in it.
If you construct the query as a raw string, rather than using a parameterized query, then you need to ensure that the characters are appropriately escaped in order to have the same behavior, and that's a non-trivial task (if you want to support every possibility) which is why parameterized queries exist to handle it for you.