Role tags are not actual symbols "<system>", they are special tokens that do not correspond to any normal text. So you can't really inject a role tag, that is not the actual problem.

as in this stuff happens at the tokenizer / internal representation layer? sorry can you help me understand why can't we sanitize it?