Good question, the attack doesn't require direct DB access. Many RAG pipelines auto-ingest from web crawlers, RSS feeds, third-party docs, or user uploads. If an attacker can get a crafted document into any of those pipelines, they control what context gets retrieved. The threat is the ingestion surface, not the database itself.