That's also one of the things that worries me the most. What kind of data is being sent to these random endpoints? What if they to rogue or change their behavior?

A static set of tools is safer and more reliable.

mcp is generally a static set of tools, where auth is handled by deterministic code and not exposed to the agent.

the agent sees tools as allowed or not by the harness/your mcp config.

For the most part, the same company that you're connecting to is providing the mcp, so its not having your data go to random places, but you can also just write your own. its fairly thin wrappers of a bit of code to call the remote service, and a bit of documentation of when/what/why to do so