What happens when a prompt injection attack exploits the judge LLM and results in a higher level of attacker control than if it never existed?

How can it result in a higher level of control? I don't see why the "judge" should have access to anything except one tool that allows it to send an "accept" or "deny" command.