This work addresses the cumulative privacy leakage in multi-round interactions with large language model (LLM) agents, where independent noise injection per round leads to escalating privacy loss—particularly when sensitive attributes reside at root nodes of the computation graph, as nonlinear transformations can significantly amplify risk. To mitigate this, the authors propose RootGuard: a mechanism that injects calibrated noise once at the root node and deterministically generates all subsequent outputs from the perturbed root, leveraging post-processing invariance to achieve round-independent differential privacy. By incorporating computational dependency structure into multi-round privacy protection and combining root-node perturbation with domain-informed privacy budget allocation, RootGuard enables secure interaction with zero marginal privacy cost. On the NHANES medical diagnosis task (ε=0.1), it reduces target error (wMAPE 7.6%) by 2.3–3.0× compared to independent noise addition while maintaining robust privacy guarantees against multi-round MAP reconstruction attacks.

LLM agents release private data across multi-service interactions. Existing prompt sanitizers based on metric differential privacy treat each release independently, so adversaries combining releases across turns can recover private attributes; privacy degrades with every release. This degradation is fundamental: when private attributes are the \emph{roots} of a computation graph, independently noising a derived value amplifies the root's distinguishability by up to the deriving function's Lipschitz constant $L$, which can far exceed the nominal privacy parameter for nonlinear functions in medical and financial workflows. RootGuard sanitizes root values once and computes subsequent releases deterministically from the noised roots. By the post-processing theorem, the privacy guarantee depends only on the initial root sanitization, regardless of the adversary's functions or number of turns, and derived values inherit privacy at zero marginal cost. RootGuard further exploits structural domain knowledge (e.g., BMI from height and weight, or a known target function) to allocate budget across roots, improving the privacy-utility tradeoff. A worst-case adversary forcing $t$ turns increases the total budget $B = t \cdot \varepsilon$. RootGuard distributes this larger budget across roots, while independent noising spends $\varepsilon$ per release and gives the adversary $t$ observations to combine via MAP reconstruction. This yields a \emph{double asymmetry}: more turns aid RootGuard while weakening independent noising. On eight NHANES medical diagnostic templates, RootGuard achieves $2.3$--$3.0\times$ lower target error than independent noising at $\varepsilon = 0.1$ (7.6\% vs.\ 17.1\% wMAPE at $B = (2k{+}1)\varepsilon$). Under MAP reconstruction, more queries strengthen attacks against independent noising while RootGuard remains invariant.