In my experience, anytime someone suggest that it’s possible to “just” do something, they are probably missing something. (At least, this is what I tell myself when I use the word “just”)

If you tag your inputs with flags like that, you’re asking the LLM to respect your wishes. The LLM is going to find the best output for the prompt (including potentially malicious input). We don’t have the tools to explicitly restrict inputs like you suggest. AFAICT, parameterized sql queries don’t have an LLM based analog.

It might be possible, but as it stands now, so long as you don’t control the content of all inputs, you can’t expect the LLM to protect your data.

Someone else in this thread had a good analogy for this problem — when you’re asking the LLM to respect guardrails, it’s like relying on client side validation of form inputs. You can (and should) do it, but verify and validate on the server side too.