100% this... the authn/authz should be gated at the server that store sensitive data... whatever token/user that MCP uses must have its access scope down to what needed. I guess the biggest issue right now is many of these APIs have no granular access control and is open to abuse :(

With that said, some vulnerabilities like command injections or argument injection, the responsibility is on MCP developer to make sure they follow best practices and not let user take control of these commands when "shelling out".