“An LLM with a tool that READS untrusted content, is inherently also WRITING it into the context window.”

Is a slightly more useful flattening/reduction of the problem that I’m still wordsmithing and evangelizing.