[zar1048576]

The least-privilege framing makes sense. That said, a threat actor who understands your model can still craft inputs that have harmful side effects. A real challenge here is defining permissions reactively, because you risk breaking important existing behavior. This is not new in app security, but it gets messier with LLMs.

[raw_anon_1111]

A harmful actor can no more create side effects when you do text (or voice to text in the article) input -> LLM -> JSON -> API call than the same harmful actor can do website -> JSON -> API call

Either way a badly written API is the culprit - not the LLM.