Comment by amdivia

Also what people forget, even read access alone can be used to communicate with an attacker.

Assume locally i know a read only agent (running on account A) is reading a specific file from user B. Assume it has access to a secret that user B cannot observe. By prompt injection, you can have the read only agent encode the secret as "read" pattern that user B can decode by looking at file access times.

(You can think of fetch requests and the likes for more involved cases)

So read only, while helpful, does not innately prevent communication with an attacker