These are the same people who will give the LLM full write access on the disk and complain that it performed destructive actions.
If you don’t want an AI Agent to read private repos then you do not give the AI agent access to the private repos. This is not a permission bypass issue but a prompt injection issue which can’t be reliably solved at the Agent layer