> We show prompt injections are driven by a flaw in how LLMs perceive roles.

LLMs don't "perceive roles", and that is exactly the problem.