Limiting the options an LLM has does not turn it into a menu, because it can create infinite combinations/chains of behavior based on the items that it has.
Of course, that power also makes it harder to anticipate security issues--if you can't solve prompt injection, you have to reason as if every thing you allow the LLM to see is an API that an attacker has access to.
However, there are still necessarily going to be middle points where the LLM is more capable than a menu.