For this reason, we have a rule. Always ssh FROM the more trusted machine TO the less trusted one, never the other way around. For scp and rsync, that means always PUSH files to a client's machine or any server on the public internet, never PULL to a less trusted machine from a more trusted one.
How would that work? Honestly I don't know so don't troll me
"For a male and female to live continuously together is... biologically speaking, an extremely unnatural condition." -- Robert Briffault