I keep telling people that the best rule-of-thumb threat model is that your LLM is running as JavaScript code in the user's browser.

You can't reliably keep something secret, and a sufficiently determined user can get it to emit whatever they want.