Production can push as many backups as it wants, it shouldn’t be able to overwrite the previous backups. Deletion and expiry has to happen separately. There’s no reason for it to even be able to list the backups and that restriction combined with a randomized backup ID (in addition to any date/time tagging) limits the ability to corrupt the backups.
Seems to me it would be better to have the backup pull from production so the scripts cannot be reverse engineered. Maybe it's just 6 in one and a half dozen in the other though.