For this reason, we have a rule. Always ssh FROM the more trusted machine TO the less trusted one, never the other way around. For scp and rsync, that means always PUSH files to a client's machine or any server on the public internet, never PULL to a less trusted machine from a more trusted one.
How would that work? Honestly I don't know so don't troll me