The framing that prompt injection exploits the very instruction-following that makes LLMs useful is the crux for me, and it is why this is harder than SQL injection. With SQL you can parameterize to separate code from data, but natural language has no clean boundary between the instruction and the untrusted content, so input filtering alone only goes so far. Of the prevention strategies you list, which held up best under adversarial testing, and did any survive an attacker who phrases the injection as an innocuous continuation of the task?