I wonder if this problem kinda solves itself over time. Prompt injection techniques are being discussed all over the web, and at some point, all of that text will end up in the training corpus.
So, while it’s not currently effective to add “disallow prompt injection” to the system message, it might be extremely effective in future - without any intentional effort!
So, while it’s not currently effective to add “disallow prompt injection” to the system message, it might be extremely effective in future - without any intentional effort!