The actual damage comes from data leaving the trust boundary, although we are still testing deterministic solutions for ingress.
Obviously, you cannot use more prompts to reliably solve for prompt injection.