This seems to prevent your keys from being exfiltrated through prompt injection. But if your agent could've been prompt injected into giving out keys, then it can also be prompt injected into using the services it has (fake) keys for to the attacker's benefit.