> No [...] transfer method can protect you from the actions of a malicious server

Try applying that logic to a web browser. Oh, just do whatever the server says and overwrite whatever files it wants?