The XPC architecture is the right call for privilege separation … it’s what makes sandboxing trustworthy on macOS rather than just advisory. I’m really curious how it handles the trust boundary between LLM responses and the XPC service layer. The most obvious attack surface is prompt injection via a document the agent reads, which then instructs it to do something in Safari or Messages that the user wouldn’t normally sanction. XPC gives you OS-enforced process isolation but doesn’t help you if the privileged process is faithfully executing a poisoned instruction.
What’s the current model for distinguishing user intent from “content the agent read”? Is it purely the system prompt guidance, or is there something structural?
What’s the current model for distinguishing user intent from “content the agent read”? Is it purely the system prompt guidance, or is there something structural?
Thanks for posting.
reply