I can recommend having a look at secure design patterns for LLM agents. Simon Willison has a great post on this: https://simonwillison.net/2025/Jun/13/prompt-injection-desig...