I was more referring to the environment that MCP servers run within, which at the end of the day is simply a massive interpolated string that blends instructions and data/content together in a way that an LLM will do its best to figure out a helpful response.

A 'perfectly secured' MCP server will become insecure simply by existing along neighbouring, insecure, tools. With that, I think it's safe to take a broader, less technical definition and say that you should use AI agents + MCP servers with caution.