You could do this out of the MCP protocol, just by making a SQL user account with restricted privileges.
I'm assuming at some point you have to give the mcp orm credentials. I think it's easier and more maintainable to just add a doc page tutorial showing how to do it instead of making it part of the dependency. It also reduces the scope of the library.
If you use the lower-level enrichMCP API (without SQLAlchemy) you can fully control all retrieval logic and add things like rate limiting, not dissimilar to how you'd solve this problem with a traditional API.