[haileys]

Yes, that's the point. It's just a string that could come from anywhere, including user input.

[firesteelrain]

Right so if you assume that any session with an LLM is trusted or raw or whatever then it’s going to interpret what it is presented.

The JSON example was a bad example.

But what this means is maybe there needs to be guardrails developed just like web browsers had to do (to protect the user filesystem)