> This doesn’t work well because savvy users can manipulate the chatbot into calling tools. So you can never give a support chatbot real support powers like “refund this customer”, ...

I would disagree with this.

Part of how security is handled in current agentic systems is to not let the LLM have any access to how the underlying tools work. At best it's like hitting "inspect" in your browser and changing the web page.

Of course, that assumes that the agentic chatbot has been built correctly.