Can someone help me understand why classic sanitizing is not used as a solved problem to prompt injection? All these tags, patterns, etc, feel like prime for a parser rule, but maybe I am thinking too abstract here and missing an obvious knowledge gap I have on LLMs
Role tags are not actual symbols "<system>", they are special tokens that do not correspond to any normal text. So you can't really inject a role tag, that is not the actual problem.
