we also recently published our approach on MCP security for mcp.run. Our "servlets" run in a sandboxed environment; this should mitigate a lot of the concerns that have been recently raised.
The main concern I have is that there's not a well defined security context in any agentic system. They are assumed to be "good" but that's not good enough.