...
Note that using Dynamic SQL is an expensive SQL operation.
...
What do you mean by "expensive"? It's as affordable as anything else.
Just use it properly with sp_executesql and parameters to stop possible sql injection.
I think, in this case, using dynamic SQL is totally justified and will allow to achieve the best performance (for sure it will be better than using IF statements...)