Separate how? It's all still getting fed into the same text processing pipe. The tools to do something that's fundamentally different from that literally don't exist yet.
It's not longer this way. The 'text processing pipe' takes in two inputs. One is the instruction, the other is the text to apply the instruction on. If the injection is the text it doesn't affect the instruction. The model you're describing is the previous version.
Did you try this though, because so far it doesn’t seem to give the ‘system’ prompt preference over the ‘user’ prompt; the user can override the system prompt with some trivial prompting.