mcp is generally a static set of tools, where auth is handled by deterministic code and not exposed to the agent.

the agent sees tools as allowed or not by the harness/your mcp config.

For the most part, the same company that you're connecting to is providing the mcp, so its not having your data go to random places, but you can also just write your own. its fairly thin wrappers of a bit of code to call the remote service, and a bit of documentation of when/what/why to do so