Yeah to restricted read, still a lot of API work to do here and we're a bit blocked by MCP itself changing its auth spec (was just republished yesterday).
If you use the lower-level enrichMCP API (without SQLAlchemy) you can fully control all retrieval logic and add things like rate limiting, not dissimilar to how you'd solve this problem with a traditional API.
You could do this out of the MCP protocol, just by making a SQL user account with restricted privileges.
I'm assuming at some point you have to give the mcp orm credentials. I think it's easier and more maintainable to just add a doc page tutorial showing how to do it instead of making it part of the dependency. It also reduces the scope of the library.
Also, generic db question, but can you protect against resource overconsumption? Like if the junior/agent makes a query with 100 joins, can a marshall kill the process and time it out?