That's interesting, but that still sounds like something a proper auth/token permission system would more than address. You're also actively choosing to limit what functionality MCP provides, which is fine, but there are many ways to do the same via the API or CLI tooling.

I'm not saying you are wrong to do this, I just don't think it's enough to convince me that yes this is the one true approach you should use.