The client does not receive requests, it only issues them. The server receives requests, so this must be allowed. If you allowed all ports you would have a large area of attack through exploit requests.
Actually it is not that you have to open the doors to the client, they are all open, you do not have to close out doors unless you do not trust what is running on the machine, but there open door is the smallest problem .
It's like a show, a closed party, in an event, there is control of who enters, not who leaves. Everyone can leave, only those who have permission can enter.
Of course, every client can be a server, too. In point-to-point communications are so. Of course, point to point must always know the address of the point to start communication.
The initial communication request needs the open port, but then this is no longer a problem in most architectures since the connection can be kept open, there it looks like two clients communicating.