I use zfsbackup-go and I really, really wish it had an append-only mode for its metadata. You can configure it with a cloud storage account with permissions to read and create but not overwrite or delete and that’s fine for the data (which is a load of blobs containing encrypted zfs send output), but it insists on doing in-place updates on the metadata. If it could use an append-only journal, then your off-site backup software could run without the permission to delete backups, giving you most of the benefit of air-gapped backups.
I use zfsbackup-go and I really, really wish it had an append-only mode for its metadata. You can configure it with a cloud storage account with permissions to read and create but not overwrite or delete and that’s fine for the data (which is a load of blobs containing encrypted zfs send output), but it insists on doing in-place updates on the metadata. If it could use an append-only journal, then your off-site backup software could run without the permission to delete backups, giving you most of the benefit of air-gapped backups.