As you say, LLMs currently don't distinguish instructions from data, there is one stream of tokens, and AFAIK no one knows how to build a two-stream system that can still learn from the untrusted stream without risk.