If a hacker targets your site then you'll get compromised one way or another, even if you leave the regex off completely. I've only had that happen once in 20 years of building websites, so I personally don't worry about it much.
The plugin gives access to two types of galleries, ones uploaded to the filesystem (via ftp or through the October media manager), and ones created on the "Galleries" backend page - these are then stored in the database. The plugin first checks if there are any rows in the galleries table with the given tag. So I don't think that part of the code is vulnerable. SQL isn't constructed manually anywhere. So I don't think an attacker could use SQL injection to hack your database. If the plugin doesn't find any rows that match, then it checks the filesystem. So I suppose without any sort of validation of the URL parameter, an attacker might be able to see pictures stored outside of your gallery "root" folder.
In any case I would use a regex like this: ?|^[a-z0-9-_]+$
So your full url might be: /galleries/:gallerycode?|^[a-z0-9-\]+$
This should take any combination of letters and numbers and dash or underscore, so it should be quite safe.
Also updated the docs. Thanks for the question!