LLM architectures need to fundamentally change or inference needs to be used in constrained trusted environments. Nothing surprising here. Filtering and sanitizing, relying on tags around input strings that can be intercepted and replayed is like, childs play security theatre. As long as prompts accept abitrary user input nothing is changing here. Non-deterministic security is never going to be acceptable.