The attacker isn't the dev -- the attacker is a third party that poisoned the online data that is ingested by the AI tool.
- Dev builds secure AI app
- App defends against indirect prompt injection in data from the internet
- Dev reviews the flagged log
- Log affected by the injection is rendered, and the attacker who wrote the injection in the web data exfiltrates the data from the AI app user
I'm impressed Superhuman seems to have handled this so well - lots of big names are fumbling with AI vuln disclosures. Grammarly is not necessarily who I would have bet on to get it right