[zahlman]

> an attacker

... what exactly is your threat model? How are "attackers" getting themselves involved in the first place?

[irthomasthomas]

Your ai does a web search for you and scrapes many sites. An attacker running a blog might include a hidden text prompt which your ai acts on secretly, such as calling a url that exfiltrates your chat history.