In Part 1, we established why LLMs are vulnerable: the attention mechanism treats all input tokens equally, with no architectural separation between trusted instructions and untrusted user data. Now ...