The sad thing is it's not even difficult to get right. I've got something launching soon with a couple different chatbots that I'll share with you later, and it would never even have occurred to me to rely on system prompts for security. A chatbot in my mind is just a CLI with extra steps; if the bot is given access to something, the user is presumed to have equal access.