Best practice of handling user's input

It automatically escapes the data, yes. But you should always validate it regardless of that and here you aren't even checking what fields are there in $user_data.

This is done in controller in validation or that's not enough? Is here needed some more specific sort of validation?

If you validate your inputs, you'll never have a user's first name like that - you know that people's names don't include parentheses, slashes and greater-than/less-than signs, so don't accept these.

Take note of what "validation" means - the former means checking if the data is valid and completely rejecting it if it's not. This is what you should be doing.

This is kinda a tricky in this case, for example I am not aware of all possible characters that are used in names across the countries. Different countries means different names and maybe some signs like ' etc. This means that I should write some own validation rule for CI because there is nothing like that in validation class am I right?