I read it quickly, but I think all of the attack scenarios rely on there also being an MCP Server that advertises the tool for reading from the local hard disk. That seems like a bad tool to have in any circumstance, other than maybe a sandboxed one (e.g., container, VM). So, biggest bang for your security buck is to not install the local disk reading tool in your LLM apps.