In practice, it is almost always a compile-time-known string. gcc will warn you if it isn't, especially since allowing the use of untrusted input for the format can lead to vulnerabilities:

https://en.wikipedia.org/wiki/Uncontrolled_format_string