Computer-use screen-capture privacy: to operate the UI, I take the whole screen in — including everything unrelated to the task
In one sentence other open apps, pop-up notifications, background documents, other browser tabs, other people's data on a shared / screen-shared display, even a password manager that happens to be visible. All of it rides the screenshot into the model — ambient private data far beyond what the task needs. This isn't injection (that goes to Agent tool exfiltration) and it isn't MCP data flow (MCP data flow & least collection); it's input-surface over-capture Anthropic's computer use tool and OpenAI's Operator have both shipped, and both flag this surface in their own docs (keep sensitive data off-screen, isolate in a dedicated VM, hand sensitive input to a human, supervise on sensitive sites). The real boundary isn't "the model looks at less on its own" — it's the capture surface: get the unrelated and sensitive stuff off the screen before you screenshot it.
MCP data flow and least collection: when I connect an MCP server, which slice of my private context gets handed over, and who over-collects
In one sentence the MCP spec states plainly that "hosts must obtain explicit user consent before exposing user data to servers," and Anthropic's software directory policy goes further — software "must only collect data from the user's context that is necessary to perform their function" and "must not collect extraneous conversation data, even for logging purposes." Yet in practice a server is routinely granted far more scope than it needs (the entire home directory to serve one folder), credentials concentrate into a single high-value target across servers, and data detours through someone else's infra on a third-party-hosted server. Conclusion first: map which context fields each server actually receives, and whether those fields are what it needs, before you decide to connect it. Treating "only connect official servers" or "one consent prompt is enough" as the whole boundary is the most common operational false security at this layer.