Yeah maybe if an agent workflow is decomposed into steps, each step having certain permissions, and the context optionally wiped or reset back to some checkpoint between steps to prevent accidental leak.

This is actually pretty nice because you can check each step for risks independently, and then propagate possible context leaks across steps as a graph.

There's still potential of side channel stuff, like it could write your password to some placeholder like a cookie during the login step, when it has read access to one and write access to the other, and then still exfiltrate it a subsequent step even after it loses access to the password and context has been wiped.

Maybe that's a reasonably robust approach? Or maybe there are still holes it doesn't cover, or the side channel problem is unfixable. But high level it seems a lot better than just providing a single set of permissions for the whole workflow.