There is a concept of a federated timeline, which does get synced to your local instance. If you follow someone on a remote instance, that instance feeds content into your instance so it can be loaded.
It syncs the people you follow, right? So presumably the only additional content on your instance is content from the people you follow, which should generally be low-risk.
You can also block just media if an instance is known to host images that are illegal in your country or your users don't want to see (silencing is a better option for the latter tho).
