That only makes sense if models were autonomously adding MCP servers and managing accounts themselves. Currently, users add MCP servers to their clients (like Cursor or Claude Desktop), so authentication should happen at that level. If the model handled auth, you'd still need to provide credentials to the LLM for it to provide it to the MCP server anyway. It's better to pass auth data as for example headers in requests - this way your credentials never get sent to the model provider (unless you're running locally).

The two things I can think of are MCP servers with functions that make calls to a database with sensitive information, or are easy to pwn due to propping them up in a hasty and irresponsible manner.

The article would actually be interesting if they tried either of those with the servers they found.