The SQL injection analogy breaks down because LLMs don’t have a fixed execution grammar.

Treating prompts as untrusted input streams rather than instructions helped us reason about the problem more clearly, especially for production systems.