> This attack stems from the combination of two design flaws: overprivileged database access (service_role) and blind trust in user-submitted content.

No, there is only one design flaw, the overprivileged database access. An LLM shouldn't be given more access than the user who is interacting with the LLM has.