Giving read access to only the people who should have read access doesn't solve the problem here.
The vulnerability is when people who should have read access to the database delegate their permission to an LLM tool which may get confused by malicious instructions it encounters and leak the data.
If the LLM tool doesn't have a way to leak that data, there's no problem.
But this is MCP, so the risk here is that the user will add another, separate MCP tools (like a fetch web content tool) that can act as an exfiltration vector.
The vulnerability is when people who should have read access to the database delegate their permission to an LLM tool which may get confused by malicious instructions it encounters and leak the data.
If the LLM tool doesn't have a way to leak that data, there's no problem.
But this is MCP, so the risk here is that the user will add another, separate MCP tools (like a fetch web content tool) that can act as an exfiltration vector.