Restricting output from a subagent (not allowing arbitrary strings anywhere in the output) seems like a way to minimize the risks of prompt injection attacks, though? Sometimes you only need to get a boolean or an enum back from a query.