I would say it's neither, it's complacent misuse by the user. As you allude to we generally already are, but non-deterministic & especially 'agentic' AI makes the stakes/likelihood of it going wrong so much higher.

Don't use an MCP server with permission (capability) to do more than you want, regardless of whether you think you're instructing the AI tool do the bad thing it's technically capable of.

Don't run AI tools with filesystem access outside of something like a container with only a specific whitelist of directory mounts.

Assume that the worst that could happen with the capability given will happen.