OpenSSH 8.0 released

When you get back a filename from the server you check that it is a relative path (does not begin /) and is canonical (does not contain ..). And you check that it is a possible expansion of the glob pattern you gave (which is effectively the same as doing a regular expression match, just with different syntax). That should be enough.