Anything you said here just demonstrate that you don't really understand the differences between MCP and CLI.

MCP is just wrapper on top of API layer that RCP to a worker/daemon. That API layer itself can be the CLI. You get no more context usage, and no extra security impact, because fundamentally the model are the same, just without the fluff.

You are probably thinking of CLI as in "oh I must pass everything and it is stateless", only some need to be like that.