If you feed data to a LLM then there will always be a prompt injection. What you described is limiting the damage that the prompt injection can do, but also its usefulness.
You have a set of apis that user can access to do something, the llm uses those same apis. How is that limiting usefulness? By not invoking apis user is not allowed to?
Why is it limiting the usefulness?
You have a set of apis that user can access to do something, the llm uses those same apis. How is that limiting usefulness? By not invoking apis user is not allowed to?