> Does Apple's implementation have any sanitization layer between retrieved content and what gets fed to the model?

It's been discussed a lot but fundamentally there isn't a way to solve this yet (and it may not be solvable period). I'm sure they've asked their model(s) to not do anything stupid through the system prompt. Remember, prepending and appending text to the user's request to an LLM is the all you can do. With an LLM it's only text string in then text string out. That's it.