I have currently settled on borg for backups personally, combined with some gruesome ssh hackery to let me do pull backups of external machines using ssh tunnelled sockets back to a backup server which is not reachable from the wider internet. These days I might just use tailscale to set up a VPN & pipe the backup straight over that without all the ssh shenanigans but the system I have works. You can also use borg to talk directly to rsync.net at special nerd rates: https://www.rsync.net/products/borg.html Bring your own support!
NB. Last time I looked at this, borg’s cryptography was somewhat suspect. Not actually broken, but definitely not using best practices. Restic is better, but at the time I was looking restic didn’t compress backups so it was a non-starter for me. These days restic does compression as well so is probably the right default choice. Borg2 has a rewritten encryption layer which supposedly fixes all the problems pointed out by cryptographers with Borg1, but it hasn’t hit a release version yet & is still in beta.