[dom0]

I'll assume that restic does not actually implement AES. I maintain that rolling EtM is effectively not more error prone than correctly using a dedicated AEAD construction, since in either case you are rolling your own crypto, which swamps error proneness differences between these alternatives.

[tptacek]

I'm not sure I follow this. A library implementation of an AEAD, with "Seal" and "Unseal" functions, is almost misuse-resistant (depending on the primitive and how they handle nonces). The same is not true of a library that exports AES-CTR or AES-CBC's Encrypt/Decrypt, plus a MAC!

If you're implementing an entire AEAD construction, like GCM or EAX, from scratch, then yes. Don't do that. You probably are safer composing CBC and HMAC than you would be writing your own EAX.

But if your library exports an EAX, using it is almost certainly a huge security win over DIY authenticated encryption, even if you can remember the order of operations properly.