Anything an adversarial attacker might be able to populate is untrusted. If there's a form they can use to add things to the CRM then that's tainted too.

Agree with you from the theoretical POV but, in practice, that means that any CRM that has been used to store an email is untrusted data. Basically, a business's most trusted data source is untrusted in the LLM context. Which feels like a bridge that is going to need to be crosssed as the alternative is to just use new data (with a clearly traced and entirely internal lineage).