@motorest read again what I wrote: "That's the thing. LLM or MCP is not a database. You can’t compare it. You simply can't set the permissions or guardrails within LLMs or MCPs. You always do it layer above (scoping to what LLM has access to)."
You can not HIDE the data MCP has access to. With a database and SQL, you can! So it can not be comparable with SQL injection.
Absolutly you can - the UX of the whole experience MCP is part of could make it clear to the user what repositories can be accessed according to the project they're working on. Rather than when they're working on the public project, the LLM being given access to repos of the private projects.