Forget the SQL injection analogy. The actual finding here is that GitHub had guardrails to block data leaks, and the word "Additionally" broke them. Not by ignoring the guardrail — the model satisfied both the guardrail and the injected instruction at once. One word, zero credentials, private repo leaked.