Another option:

If you have an LLM on the untrusted customer side the wrost it can do is expose the instructions it had on how to help the customer get stuff done. For instance phone AI that is outside of tursted zone asks the user for Customer number, DOB and some security pin then it does the API call to login. But this logged in thread of LLM+Customer still only has accessto that customers data but can be very useful.

You can jailbreak and ask this kind of client side LLM to disregard prior instructions and give you a recipie for brownies. But thats not a security risk for the rest of your data.

Client side LLM's for the win