The privileged LLM can still do useful LLM-like things, but it's restricted to input that came from a trusted source.
For example, you as the user can say "Hey assistant, read me a summary of my latest emails".
The privileged LLM can turn that human language instruction into actions to perform - such as "controller, fetch the text of my latest email, pass it to the quarantined LLM, get it to summarize it, then read the summary back out to the user again".
For example, you as the user can say "Hey assistant, read me a summary of my latest emails".
The privileged LLM can turn that human language instruction into actions to perform - such as "controller, fetch the text of my latest email, pass it to the quarantined LLM, get it to summarize it, then read the summary back out to the user again".
More details here: https://simonwillison.net/2023/Apr/25/dual-llm-pattern/
A that post says, I don't think this is a very good idea! It's just the best I've got at the moment.