I'll assume that restic does not actually implement AES. I maintain that rolling EtM is effectively not more error prone than correctly using a dedicated AEAD construction, since in either case you are rolling your own crypto, which swamps error proneness differences between these alternatives.
I'm not sure I follow this. A library implementation of an AEAD, with "Seal" and "Unseal" functions, is almost misuse-resistant (depending on the primitive and how they handle nonces). The same is not true of a library that exports AES-CTR or AES-CBC's Encrypt/Decrypt, plus a MAC!
If you're implementing an entire AEAD construction, like GCM or EAX, from scratch, then yes. Don't do that. You probably are safer composing CBC and HMAC than you would be writing your own EAX.
But if your library exports an EAX, using it is almost certainly a huge security win over DIY authenticated encryption, even if you can remember the order of operations properly.
Wait a minute, there are cases where this is required? Chacha20/Poly1305 is not one of them, right?
---
Another I have personally seen was using the session key for a Wegman Carter hash (such as Poly1305). I received an email suggesting I do just that in Monocypher, to avoid using up the beginning of the key stream. Didn't realise why this would lead to instant key recovery.
I have since littered my manual with scary tales of total annihilation of security.