Ah, thanks for that break down, makes perfect sense now.

Putting aside the "LLM" part, it seems very similar to the situation where we don't just "exec" stuff from inside code that takes user input, because you're opening up a can of security worms.