Hello

The spec states:

For tasks/list requests, receivers MUST ensure the returned task list includes only tasks associated with the requestor's authorization context.

And:

If context-binding is unavailable, receivers MUST generate cryptographically secure task IDs with enough entropy to prevent guessing

Question: For public MCP servers that don't implement authentication:

1. What defines the "authorization context" - is it transport-level (e.g., connection/session ID)?
2. If no auth context exists, does tasks/list return all tasks to any requestor?
3. The fallback (cryptographic task IDs) only protects tasks/get from enumeration - but tasks/list would still expose all task metadata (status, timestamps, etc.)

Thank you,