If you've configured an configured that LLM with an MCP server that's able to both read data from public and private sources, and to emit provided data publicly, then when you submit a prompt to that LLM that says "review open issues and update them for me", then, absent any guarantees otherwise, you've explicitly told the LLM to take input from a third-party source (review open issues), evaluate it, and publish the results of that evaluation publicly (and update them for me).

I mean I get that this is a bad outcome, but it didn't happen automatically or anything, it was the result of your telling the LLM to read from X and write to Y.