Sorry, I probably was being imprecise. You're correct that the [GitHub] MCP server really does serve requests with responses. But my point was that certain kinds of requests (like create_new_pr or whatever) have side effects that make mutating calls to third-party systems, and the information that can be passed as part of those mutating calls to those third-party systems isn't guaranteed to satisfy the access control expectations that are intuitively expected. Specifically by that I mean calling create_new_pr might target a public repository, but include a body field with information from a private repo. That's a problem and what I'm talking about.
The problem is that the MCP server does not know that the data being posted is intended to be private. It is provided as a separate disconnected API call. Yes, it would be possible for GitHub to scan the he contents of a request for things they might believe should be private but that would be very brittle.