You are building an AI research assistant that can browse the web, read uploaded PDFs, and send emails on the user's behalf.
(1) Describe an indirect prompt injection attack: what content would an attacker create, where would they put it, and what would the attack cause the assistant to do? Be concrete with the actual injected text.
(2) Propose three mitigations and for each explain what it prevents and what it cannot prevent. Cover at least: instruction hierarchy, input/output classifiers, and least-privilege capability scoping.
(3) If you had to choose between (a) giving the assistant full email access with robust prompt injection defenses, or (b) read-only email access with no additional defenses, which would you choose and why? Explain why this is fundamentally a question about blast radius rather than detection.