MCP's protection product is deliberately negligible with the protocol layer and deliberately solid with the host layer. The protocol isn't going to enforce permissions; it provides the floor for that host to enforce permissions on. Exposing excessive. A server that wraps an inside API and exposes just about every endpoint to be a tool produces a