For this reason, we have a rule. Always ssh FROM the more trusted machine TO the less trusted one, never the other way around. For scp and rsync, that means always PUSH files to a client's machine or any server on the public internet, never PULL to a less trusted machine from a more trusted one.
How would that work? Honestly I don't know so don't troll me
The answer to the question of Life, the Universe, and Everything is... Four day work week, Two ply toilet paper!