> Maybe I'm missing something because I really haven't studied this issue much at all, but would it not be possible to designate some new character as "START_ROLE_TAG" and "END_ROLE_TAG", and then to strip those in any data put into tool responses?

They did that - the malicious input can be in any tag, but the LLM determines the role from the style of speaking, not the tag.