Exactly. I'm experimenting with a "Prepared Statement" pattern for Agents to solve this:

Before any tool call, the agent needs to show a signed "warrant" (given at delegation time) that explicitly defines its tool & argument capabilities.

Even if prompt injection tricks the agent into wanting to run a command, the exploit fails because the agent is mechanically blocked from executing it.