The WP nonce’s purpose is to ensure the form the user is using was sent by your server and the form’s data is submitted by that form and not by some bad actor or other nefarious devices. Especially with HTML5, there’s numerous options where form fields can be validated client side in the browser. This is great for ensuring users are entering data correctly, but you still must re-validate the data server side because anything from a client browser cannot be trusted.
WP nonces are also not true nonces that can only be used once. WP nonces can be reused any number of times within 24 hours. This is adequate for ensuring the form is from your server. For more stringent security needs, you would need to develop a true nonce system.
For forms submitted by anyone, you’re not authenticating or controlling access, so the Codex comment does not really apply to you. You still need to protect your site from SQL injection and similar attacks. The first thing to do is ensure the form submitting data is from your server. This is what the nonce is for. Once that is verified, you need to sanitize and validate the submitted data by first ensuring the data is within the expected range of possible input.
For example, a phone number field should maybe contain no alphabetic characters, it should be longer than 5 or 6 numbers, but no longer than a dozen some numbers once any punctuation has been stripped out. Some fields are not so obviously constrained, but place limits where you can. This is what we call data validation.
You must also sanitize data. Depending on what the data is supposed to represent, there’s different methods to sanitize. Some data just needs to be escaped. URLs need to be urlencoded. WP has a number of sanitation functions for common situations.
Data Validation
Validating Sanitizing and Escaping User Data
