Do you do offsite offline backups too with verification? What if your infra gets really hacked and they wipe out all of your customer's backup data everywhere? Just because borg clients have append only modes, it doesn't stop them from deleting the raw files on your drives.
If a storage server gets p0wned, the raw data could be deleted. That's true for every cloud provider. What's important, they still can't read the backup, since it's encrypted on the client. Storage servers are also isolated from each other and in different DCs, cities and regions.
Additional offline backups aren't really feasible past a certain data volume and daily change/velocity. I'd still encourage everyone to have them for their own essential data in addition to a cloud backup. E.g. by burning it to BluRay or tape (3-2-1 rule). You can see find my own, more philosophical discussion, of the topic here: https://docs.borgbase.com/strategy/. There I also distinguish between operational backups and archives. BorgBase is focused on the former. Offline backups are more suited for the latter.
> If a storage server gets p0wned, the raw data could be deleted. That's true for every cloud provider.
It's not hard to create a cloud backup service where delete requires separate credentials which are not used in day-to-day operations (and so can be kept secure). And without these credentials a backup is kept N days and cannot be deleted or overwritten. Don't know if anyone do this, though.
