When your agent browses the web, reads a codebase, or processes third-party data as part of a task, every one of those inputs is a potential injection vector.
The agent can’t reliably distinguish between “data I should process” and “instructions I should follow”.
