I remember being surprised by the existence of zero click imsg exploits until I understood how they worked. Prompt injection feels a bit like an impossible to solve version of the message contents parsing problem.