Security Strategy for Large Number of Clients each access private Cloud Folder

I am developing both the client app and the cloud app.
When client updates data on the client, file needs to be sent to cloud, and visa versa.
So far I am using MBS CURLS in SSH mode (with a single key pair to establish sFTP transfer to cloud server) to transfer file to/from client PC to user private cloud folder.

It has been suggested that I should be concerned about using a single key-pair that needs to be published with the desktop app in order to establish sFTP connection with my server. Is this a valid concern?

Another suggestion is to generate a key-pair for each client. My concern with that approach is that I am thinking that these keys are used by the server to validate sFTP access, and this approach I think would cause me to manually enter each key-pair into the server for every client - this seem unscalable and hard to manage.

If I want many clients to establish secure sFTP file transfer between the client app and the cloud app what is the right way to implement that?

There are some mechanisms to do dynamic secure key exchange
Some might suggest Diffie-Hellman - but it’s vulnerable to a man in the middle attack


MBS Plugin has Diffie-Hellman in the Encryption plugin.