I think the other commenters are correct that the fundamental issue is that LLMs use in-band signaling with a probabilistic system.
That said, I think finer-grained permissions at the deterministic layer and at the layer interface boundary could have blunted this a lot, and are worthwhile.
Except setting a fine-grained enough layer might be labor-intensive enough one might as well go for the task to be done and skip the LLM altogether.