Does MCP sandbox its servers at the protocol level?
No. MCP specifies messaging, not isolation. A server runs with whatever privileges the host process has unless you sandbox it yourself with containers, least privilege, or a separate user.
Think of MCP like the rules for a phone call: it standardizes how two parties connect, take turns, and hang up. But the phone protocol never decides what you are allowed to say or who you can call. If you hand your phone to a stranger, the call rules do not stop them from dialing premium numbers or reading your contacts. That is on you. An MCP server is the same. The protocol says how the host and server exchange messages, but it never builds a cage around the server. If a local server runs on your machine, it can touch any file your account can touch and make any network call, unless you put it in a real cage yourself. The cage is a container, a locked-down user account, or strict file permissions. MCP does not ship one.
Detailed answer & concept explanation~7 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
4 min: state that MCP is messaging not isolation, explain the local stdio privilege-inheritance gap, distinguish approval from containment, then list the operator's controls (containers, least privilege, scoped access).
| Concern | What MCP provides | Who must provide isolation |
|---|---|---|
| Process isolation | Nothing in the spec | Container runtime or OS |
| Resource limits (CPU, memory) | Nothing in the spec | cgroups, container limits |
| Filesystem scoping | Nothing in the spec | Host config, mounts, file permissions |
| Network egress control | Nothing in the spec | Firewall or container egress policy |
| Authorization (remote) | OAuth 2.1 layer | Still needs runtime isolation on top |
Real products, models, and research that use this idea.
- Claude Code and Claude Desktop spawn local stdio MCP servers as child processes that inherit the launching user's privileges, so operators sandbox sensitive ones in containers.
- The OWASP MCP Top 10 published in 2025 catalogs tool poisoning, rug pulls, and confused-deputy risks that the protocol itself does not mitigate.
- Docker's MCP Catalog and Toolkit run community servers inside containers precisely because the protocol provides no isolation on its own.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would you sandbox an untrusted local MCP server on a developer laptop?
QIf MCP enforces no isolation, what is the user-approval prompt actually protecting against?
QHow does the missing isolation interact with tool poisoning and rug-pull attacks?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Assuming that because MCP gates each tool call behind a user approval, the server is therefore contained. Approval is consent, not isolation.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.