The part people miss is that prompt injection is just the delivery mechanism but the actual vulnerability is that there's no enforcement layer between the agent's decision and the action firing. You can harden the prompt all you want, but if the agent resolves to "send email with attachment" after parsing a poisoned webpage, nothing stops it unless you have a deterministic gate at the action boundary that validates against policy before execution.
