That's a different issue from the lethal trifecta - if your agent has access to tools that can do things like delete emails or run commands then you have a prompt injection problem that's independent of data exfiltration risks.

The general rule to consider here is that anyone who can get their tokens into your agent can trigger ANY of the tools your agent has access to.