“The real problem here is the same one that plagued the pre-SS7 phone network: the commingling of data and commands. As long as the data—whether it be training data, text prompts, or other input into the LLM—is mixed up with the commands that tell the LLM what to do, the system will be vulnerable.”
https://www.schneier.com/blog/archives/2024/05/llms-data-control-path-insecurity.html