I'm thinking about what this post explains more clearly than I can:

https://simonwillison.net/2025/Jun/16/the-lethal-trifecta

Seems to me that these kind of systems, by design, tick all three boxes. I've had many discussions with people that let agent systems read and act on their incoming email for instance, and I think it's utter insanity from a security perspective.