I'm using something that pops up an OAuth window in the browser as needed. I think the general idea is that secrets are handled at the local harness level.

From my limited understanding it seems like writing a little MCP server that defines domains and abilities might work as an additive filter.