[notgenerated]

Unless a new architecture for LLMs emerge that has an inherit way of separating context from safe user data and external unsafe data every interaction is susceptible to PI. My question here is why would the bank agent need to look at the transaction data that is exposed to the outside? Apart from guardrails etc. high risk scenarios where agents are involved should aim to exclude external untrusted data whenever possible

[Ekaros]

Because description can be part of transaction. Here you have two options either a ID number usually requested by receiving party or free form message of text. Later could be highly useful for agents say containing information of refund of some earlier bill or invoice.

Without this you would be limited to account numbers, date and amount and the id number. Sometimes more information is useful and then well agent reading this information is also useful.

And before human reading such info would have just ignored it. But LLMs don't work like that.