Came here to say the same thing. My security researcher friends always point out that security is solved: simply don't build the system and there will be no security threats. But that's not entirely _useful_.

Loved reading the article but it's not a great demonstration of protection against prompt injection. Better would be if the agent were instructed to reply to each email, but never to reveal the secret.

Perhaps round 2?