> Give MCP agents access to what they need but not more.
My view is that you should give them (Agents) a computer, with a complete but minimal Linux installation - as a VM or Containerized. This has given me better results, because now it can say fetch information from the internet, or do whatever it wants (but still in the sandbox). Of course, depending on what you're working on, you might decide that internet access is a bad idea, or that it should just see the working copy, or allow only certain websites.
If you give it access to the internet ... it can basically do anything, exfil all your code, receive malicious instructions. The blast radius (presuming it doesn't get out of your sandbox) is limited to loss of whatever your put in (source code) and theft of resources (running a coinminer, host phishing attacks, etc ...). As you say, you can limit things to trusted websites which helps .. but even then, if you trust, say github, anyone can host malicious instructions. The risk tradeoffs (likelihood of of hitting malicious instruction, vs productivity benefit) might nevertheless be worth it ... not to much targetted maliciousness in wild yet. And just a bit more gaurdrailing and logging can go a long way.
>now it can say fetch information from the internet...(but still in the sandbox)
If it is talking to the internet, it is most definitely not sandboxed.