"In this case, the administrator and sole moderator received abuse reports regarding CSAM on the instance—either uploaded by a local user or ingested from a remote follow—that were not immediately acted upon, resulting in an abuse report being sent to the server’s hosting provider. This resulted in the instance admin inspecting and deleting the content, but by this time the xyz top-level domain had suspended the server’s DNS domain name, effectively taking the entire site down and depriving the entire userbase of the service."

This seems like the main attack vector relevant for clients. Even if clients don't store content themselves, they do provide access. While they can't be held legally liable (I believe), they can be reported and de-platformed either by app removal or domain name suspension.

https://stacks.stanford.edu/file/druid:vb515nd6874/20230724-fediverse-csam-report.pdf