Threat modeling an LLM app means walking the same pipeline — data in, model, tools, output — and asking, for each stage, who controls the input and what they could get it to do. A useful frame: separate trusted input (your own system prompt, your own code) from untrusted input (anything a user typed, anything fetched from the web, any document a user uploaded) — because the model can't reliably tell the difference on its own.
Once you've drawn that trust boundary, ask what happens if untrusted input contains instructions instead of just data. If the answer is 'the model might just follow them,' you've found your highest-priority risk — and it's very likely the RAG documents or tool outputs, not the chat box itself.