[elric]

I've happily been writing borg backups to rsync.net for years. They have support for forcing borg in the ssh session using force-command, and borg has options that can prevent deletion (should the backup ssh key be compromised).

Overall it's a robust solution that isn't too painful to setup.

[unbrice]

I second this. I was looking for a solution that prevented a compromised host from deleting its own backups. Forcing the command as you mentioned works for rsync.net, and its snapshots also provide a protection against fat finger errors.