What stops someone prompt injecting the first LLM into passing unsanitised data to the second?