I do wish there were a way to allow a machine to perform backups without also allowing to read them. I generate per-machine secret keys for restic, then encrypt those keys to a set of GPG recipients, and store them alongside the backup data. I did have to roll my own solution for this using s3cmd etc but its not too bad.