Yeah, typically MEV shielding == sending directly to a mining pool that promises that not frontrun it. It's not a guarantee though, the miner could decide to still frontrun, or a small reorg could occur, and another actor could replace the transaction.
> It's not a guarantee though, the miner could decide to still frontrun
The transaction bundle will fail if the success criteria is not reached (often a certain level of profit), so the worst that happens is that the profit margin falls to that level or the transaction is not included with zero cost to the sender
Exactly, flashbots and similar implement a gateway for submitting transactions directly to the miners. The transactions are only included if they succeed, because part of the transaction transfers payment to the miner for including it and another part of the transaction guarantees success only if it is profitable enough for the submitter. The transaction bundle is not mined unless it succeeds and thus avoids paying gas for failed attempts.
My point is that this is something the flashbot service does before submitting the transaction. There is nothing technical stopping them from submitting it or frontrunning it (besides destroying their reputation). In addition, when uncles and reorgs occur, the rest of the network sees the transaction, and hence could frontrun it / submit it and have it fail.