How would that even work in practice, when an LLM is mostly to be used by a user, which will provide by default, untrusted input?