If the random blob is running inside of a real sandbox (Landlock/Bubblewrap, VM, ...Docker) then I would take the blob, because I can reason about its capabilities without inspecting its internals. The LLM can run curl as much as it wants if I've `unshare()`d its network access. MCP is an instant obligatory sandbox escape unless I also manage to deploy all the MCP servers inside the sandbox.

And yes, sorry, I was talking about local MCP. I should have made that clear. I do see people using local MCP quite a bit (Ghidra MCP, Playwright MCP, etc), but maybe this is more of a hobbyist thing.