Comment by OutOfHere

One can use custom message roles and indented XML for such data. If this doesn't help, your model hasn't undergone basic training in prompt injection. SoTA models are expected to have undergone it.

Hiding the data via encryption or templating or tool calling doesn't reliably work because the data is needed for other questions.

Also, all potentially harmful actions must require approval in a fresh context by an independent workflow or agent.