I'm completely guessing here, though if I get time I'll probably go and have a read of a more reliable source than TFA.
As the SQL Injection protection seems to be within a query firewall (rather than related to the encryption as El Reg claimed), I'm going to hazard a guess that it does simple query interpretation, looking for things like a UNION within a query that, every time it's run previously, has not included a UNION.
i.e if the query is normally
SELECT title,content FROM articles where id=1;
And the following comes through
SELECT title,content FROM articles where id=1 UNION SELECT username,plaintextpass from users
Then it'd be blocked.
It's only a guess mind, but given Google's propensity for behavioural analysis, I wouldn't be surprised if there's some profiling of queries received and then anything outside of the 'normal' profile gets additional filtering to try and identify whether it's an SQLi attempt.
Still better to fix/avoid SQLi at the application though