All transfers are initiated by the host, including ones that look like they're client-first; there is no DMA, which would be a massive security pain.