I think the only sane way, if there is one, is to sandbox your LLM behind a fixed set of MCP servers that severely limit what it can do.

Reading your mail, WhatsApp and bank transactions? May be OK if your LLM runs locally, but even then, if it has any way to send data to the outside world without you checking it, maybe not even. You don’t want your LLM to send your private mail (including photos) or bank statements to somebody who uses prompt injection to get that data.

Thinking of prompt injection: we need LLMs with a Harvard architecture (https://en.wikipedia.org/wiki/Harvard_architecture), so that there is no way for LLM data inputs to be treated as instructions.