It's more like an LLM is making a GET request to a honey pot website, that GET request compromises the LLM (via prompt injection), which convinces the LLM to send a POST request with the customers data to the attacker (honey pot owner).
Of course, it's not actually a POST request (because they don't seem to allow it to make those), so instead they just exfil the data in the headers of a second GET.
Of course, it's not actually a POST request (because they don't seem to allow it to make those), so instead they just exfil the data in the headers of a second GET.