Controllers are the gatekeepers of your API

Controllers safely separate your API from the outside world; they parse and sanitise data that comes in, and they filter the data you return.
For this reason, you shouldn’t do any input validation past your controllers: if it doesn’t exist by that point then something has gone wrong, and you should fix the code instead of adding hundreds of validations.

If your endpoint requires an account ID with your request and the user doesn’t pass it in, that’s a user error and you should handle it by validating the input and rejecting the request.
If your internal code requires an account ID and gets called without it however, that’s an error with your code, and your code should fail, rather than specifically checking for it and handling it in every single function it may occur.

For the same reason, controllers should abstract the request information from the rest of the code, and should be the last point in your code that you ever see the request object. Internal code beyond the controllers should have no concept of a request, only the values parsed in.