[gcc42]

I thought about this exact problem a month ago when I got paranoid (I'm on Windows) , and my solution involved setting up a separate cheap Linux node in my home and attaching my backup drive to it.

The server is locally SSHable, but only authenticates via password that I have to type in during each backup. Key authentication is disabled. I use borg backup so I don't even have to give shell access to this particular account (there are hardened borg configs available online).

If you're more paranoid about security, you can enable 2FA over SSH, or make sure the backup server itself creates a periodic offline backup of the backup repository, without the SSH account having permissions to that of course.

Honestly though as long as you're not doing something stupid like mounting NFS to your vulnerable device to make backups, you should be mostly fine.