> You can just make the tool calls restricted/scoped to whatever the calling account has access to (or in this case the repo)
This is a fix for the harness, not the model.
As an analogy to SQL, this is like "fixing" SQL injections by having JS on the frontend escape/sanitise the values sent to the backend, while the backend does not use parameterised statements.
The harness is the front-end, the model is the backend. There is no way to currently fix the backend with parameterised prompts.