For the sake of simplicity (I find it easier to remember names than arbitrary letters), I will dispense with letters and use names to refer to the machines in this scenario.

Say I have two machines, applejack and pinkie-pie, each on their own separate LANs and not in the same physical location. I also have a server, cadance, with a direct Internet-facing connection. I want to copy a file from applejack to pinkie-pie, so to avoid dealing with port forwarding and such, I set up an ssh tunnel from pinkie-pie to cadance (ssh -R etc cadance). Now I can connect to pinkie-pie from anywhere, by connecting to cadance and specifying an alternate port to use. I can also easily copy files to pinkie-pie with scp -P $that_port $some_file cadance:$some_path.

My understanding of how it works is this:

1. A secure connection is made from applejack to cadance
2. I am authenticated to cadance
3. A secure connection is made from applejack to pinkie-pie that spans the existing reverse tunnel and the new connection from step 1.
4. I am authenticated to pinkie-pie
5. Files are copied directly from applejack to pinkie-pie over this connection.

Am I correct here? How secure is this approach?

If I'm wrong…are files copied this way decrypted at cadance before being passed on to pinkie-pie? Is there a possibility that traces of unencrypted data could remain on cadance?