I somewhat agree, but I think an important distinction is that in this case, you are legitimately giving the MCP server your credentials - there are no tricks there.

This is distinct from various forms of phishing where they are tricking you to give access to sensitive information. Here, you are giving that access willingly to something that is then itself vulnerable to being tricked/tricking you.