I follow the security researcher WunderWuzzi. He is doing really interesting work in little to no user interaction data exfiltration using prompt injection in all the major AI tools...

He figured out how to get Copilot to search a user's email for keywords through a prompt injection attack sent in an email to someone using Copilot:

https://embracethered.com/blog/posts/2024/m365-copilot-prompt-injection-tool-invocation-and-data-exfil-using-ascii-smuggling/

It's a wild world out there.