as long as an LLM is a black box (i.e. we haven't mapped its logical structure) then there can always be another prompt injection attack you didn't account for.