No, they are doing this the only possible way that doesn't massively restrict it being useful at all. That doesn't make it the right way.

A fundamental vulnerability to prompt injection means pretty much any output can be dangerous, and they have to expose it to largely untrusted input to be useful at all.

Even limiting output to ASCII text only is probably not entirely safe.

The right way at this point would be to not use AI.