That only works in contexts where any URL is an easy warning sign. Otherwise you get this:
"Assistant, create a funny picture of a cat riding a bicycle."
[Bzzzt! Warning: Do you want to load llm-images.com/cat_bicycle/85a393ca1c36d9c6... ?]
"Well, that looks a lot like what I asked for, and opaque links are normalized these days, so even if I knew what 'exfiltrating' was it can't possibly be doing it. Go ahead!"
I already included a defeat for the mitigation in my own comment specifically because I didn't want to entice people who will attempt to boil the concept of security down into a HN thread with series of ripostes and one-upmanships that can never actually resolve since that's simply the nature of the cat and mouse game...
As my comment states, we've already been through this. LLMs don't change the math: defense in depth, sanitization, access control, principle of least privilege, trust boundaries, etc. etc. it's all there. The flavors might be different, but the theory stays the same.
Acting like we need to "re-figure out security" because LLMs entered the mix will just cause a painful and expensive re-treading of the ground that's already been covered.
That only works in contexts where any URL is an easy warning sign. Otherwise you get this:
"Assistant, create a funny picture of a cat riding a bicycle."
[Bzzzt! Warning: Do you want to load llm-images.com/cat_bicycle/85a393ca1c36d9c6... ?]
"Well, that looks a lot like what I asked for, and opaque links are normalized these days, so even if I knew what 'exfiltrating' was it can't possibly be doing it. Go ahead!"