Engram already has namespace isolation — API keys scope memory per-agent, spaces partition further within a user, and key scopes can be set to read-only. One agent's memories don't surface in another's recall unless you deliberately share a key. The prompt injection via recalled content point is fair but that's true of any retrieval system feeding an LLM. The memory layer stores and retrieves text — sanitizing what goes into the context window is the agent framework's job. Same reason you don't expect a database to prevent SQL injection at the storage layer. Always interested in adversarial testing though, feel free to share.