Out of those none.
Technically the first one is what you want to use but you want to use entityService.
db.query is just a lower end version of this. But overall EntityService is what you are looking for.
🤓 Entity Service API vs. Query Engine API
Strapi v4 offers several layers to interact with the backend and build your queries:
The Entity Service API is the recommended API to interact with your application's database. The Entity Service is the layer that handles Strapi's complex data structures like components and dynamic zones, which the lower-level layers are not aware of.
The Query Engine API interacts with the database layer at a lower level and is used under the hood to execute database queries. It gives unrestricted internal access to the database layer, but should be used only if the Entity Service API does not cover your use case.
If you need direct access to knex functions, use strapi.db.connection.
furthermore there is no documentation about transformResponse and sanitizeOutput (or sanitizeInput) so this generate a big confusion.
For what i understood there are 4 method to build a new controller. super when you want to use an unique function with sanitize and transform functions included (with also meta object) strapi.service with no documentation (only an example in the backend customization section) that seems to be a entityService API with some more date like meta object strapi.entityService that is the documented API that
is the layer that handles strapi’s complex data structures
but when you want to expose it to the front-end (if you want to keep the structure with data-attributes) you have to sanitize (??) and transform the response before to expose it.
strapi.db.connection that is a lower level of entityService.