It doesn't seem especially surprising to me. The space of possible inputs for something that's designed to be interacted with in natural language is vastly larger than it is for a standard command-based interface. If you try to lock this kind of stuff down too hard, you're going to end up restricting the LLM so much that it won't be very useful for the intended applications. If you want something that interacts like a person having a conversation, it's going to be vulnerable to conversation-based manipulation.
:internet-delenda-est:
How did the geniuses at OpenAI have such obvious workarounds to essentially give anyone super user access?
It doesn't seem especially surprising to me. The space of possible inputs for something that's designed to be interacted with in natural language is vastly larger than it is for a standard command-based interface. If you try to lock this kind of stuff down too hard, you're going to end up restricting the LLM so much that it won't be very useful for the intended applications. If you want something that interacts like a person having a conversation, it's going to be vulnerable to conversation-based manipulation.