Fair point although I’ve seen ‘prompt injection’ used both ways.

Regarding your scenarios, “…mark this email with the highest priority label” is pretty interesting and likely possible in my toy implementation. “…archive any emails…” is not, though, because the agent is applied independently to each email and can only perform actions on that specific email. In that case the security layer is in the tools as described in the essay.