That mitigates a lot, but are companies going to be responsible enough to take a hardline stance and say, "yes, you can ask an LLM to read an email, but you can't ask it to reply, or update your contacts, or search for information in the email, or add the email event to your calendar, etc..."?
It's very possible to sandbox LLMs in such a way that using them is basically secure, but everyone is salivating that the idea of building virtual secretaries and I don't believe companies (even companies like Google and Microsoft) have enough self control to say no.
The data exfiltration method that wuzzi talks about here is one he's used multiple times in the past and told companies about multiple times, and they've refused to fix it as far as I can tell purely because they don't want to get rid of embedded markdown images. They can't even get rid of markdown to improve security, when it comes time to build an email agent, they aren't gonna sandbox it. They're going to let it lose and shrug their shoulders if users get hacked because while they may not want their users to get hacked, at the end of the day advertising matters more to them than security.
They are treating the features as non-negotiable, and if they don't end up finding a solution to prompt injection, they will just launch the same products and features anyway and hope that nothing goes wrong.
