In this post's example, the agent would be limited by the author's scope inside the organization and, therefore, be incapable of exposing any unwanted file.
No.
> In this post's example, the agent would be limited by the author's scope inside the organization and, therefore, be incapable of exposing any unwanted file.
That still allows prompt injection to exfiltrate the authors files. That's the whole exploit - files that the author has, that he doesn't want exfiltrated.