There's a documented real-world case worth learning from: in 2025, researchers at Legit Security showed GitLab Duo could be steered by instructions hidden inside ordinary project content. Part of what made it work was concealment — payloads obscured with tricks like Unicode smuggling and Base16 encoding so they wouldn't be obvious to a human or a naive text filter. GitLab patched it (tracked as duo-ui!52).
I bring it up because it lines up with a blind spot I just documented in my own scanner. My tool checks for Category-1 system-prompt leakage as readable strings. If a leak is base64'd, split across tokens, spaced out, or otherwise transformed, my deterministic substring matcher doesn't see it. Rather than imply coverage I don't have, I added an explicit warning to the scan output and --canary help: encoded/split leaks are not detected.
The honest framing: catching the plain, verbatim case is real and testable. Catching every encoded variant is not something a deterministic matcher does — and pretending otherwise would defeat the purpose.
The scanner (and the limitation itself) is open source: https://github.com/ghkfuddl1327-wq/rojaprove