If you explicitly use "-e ssh" and don't run a daemon, then these probably don't affect you.
If you don't specify that protocol, though, you have three scenarios:
1. only the local host has the rsync binary
2. both local and remote hosts have the binary, but neither runs them as a daemon
3. both have the binary and the remote runs as the daemon
In #1 you end up using SSH anyway (unless there's also no SSH binary). In #2, a malicious server binary could attack you. In #3, a malicious server binary could attack you.
Also, many of rsync's features rely upon both sides having the binary.
[+] [-] nubinetwork|1 year ago|reply
https://news.ycombinator.com/item?id=42706732
[+] [-] nimar|1 year ago|reply
[+] [-] martinbaun|1 year ago|reply
[+] [-] aesh2Xa1|1 year ago|reply
If you don't specify that protocol, though, you have three scenarios:
1. only the local host has the rsync binary 2. both local and remote hosts have the binary, but neither runs them as a daemon 3. both have the binary and the remote runs as the daemon
In #1 you end up using SSH anyway (unless there's also no SSH binary). In #2, a malicious server binary could attack you. In #3, a malicious server binary could attack you.
Also, many of rsync's features rely upon both sides having the binary.