But AI didn't get it right. That's the point, isn't it? The screenshot in the link shows an analysis that's based on a set of invalid/incorrect assumptions.

Specifically, MCP servers are expected to run in a trusted environment by definition. So, MCP servers can safely treat their input as trusted, as well. At least, that's what the spec says.