This is exactly the kind of MCP security issue people overlook. Tool access is powerful, but argument level controls matter just as much. It’s not enough to say “this tool is allowed.” The system also needs to know what inputs should never pass through.