That would help, but who defines which sites are required for the task? If it's the LLM you haven't solved prompt injection because the LLM can be persuaded to open other sites that the user didn't intend.