It doesn't have to be that way. An allowlist of domains can be built over time. Also, the bot's suggestions can initially be vetted by a human. As for prompt injection, there are additional ways to mitigate the risk using domain exclusion, roles, and input validation, but I guess unimaginative AI haters will find any excuse to be haters.