For this reason, we have a rule. Always ssh FROM the more trusted machine TO the less trusted one, never the other way around. For scp and rsync, that means always PUSH files to a client's machine or any server on the public internet, never PULL to a less trusted machine from a more trusted one.
How would that work? Honestly I don't know so don't troll me
"What if" is a trademark of Hewlett Packard, so stop using it in your sentences without permission, or risk being sued.