[simonw]

On the one hand this is exactly the right solution to prevent lethal trifecta exfiltration attacks.

The existence of lockdown mode does however imply that ChatGPT, in its default settings, does not provide robust protection against sufficiently determined data exfiltration attacks!

[berlianta]

Related: Simon Willison’s post on OpenAI’s new Lockdown Mode (he coined the “lethal trifecta” term this is based on): https://simonwillison.net/2026/Jun/5/openai-help-lockdown-mo...

[jameshart]

Related: simonw is Simon Willison

[berlianta]

Yeah I know the source references him (replying to his comment), that's exactly why I'm giving credit where it's due

[bombcar]

It’s important to draw it out explicitly- I didn’t even look at the commentators name until it was mentioned. (If I see pelicans …)

[alehlopeh]

As explained in a child comment, this comment is a callout to other readers, rather than an actual reply to the parent comment. I know that’s been a thing for a long time, but is there a word for this type of comment?

[gchamonlive]

I wonder what robust protection would mean in practice for such a capable tool like an agent...

Looking at the trifecta axis, if we assume we can't control untrusted content, that leaves us to create safeguards for private data access and external communication.

Would it be enough if we had a buffer between when these two happened: access to the environment and access to the web?

[simonw]

Robust protection means blocking any mechanism by which the agent, once compromised, might communicate stolen information back to an attacker.

[Noumenon72]

I hadn't realized that deep research or generating images that I paste into Twitter were possibly exfiltrating my data. Yikes.