Bindshells are shells that are bound to a port, see Wiki for a brief explanation[1]. Basically, without authentication you have no way of knowing that the `ls` you backed up is the same `ls` you get back out. If your remote backup is compromised and uses XTS, its possible for someone to own you by replacing an oft used binary that when run gives them a remote shell.
On the other hand, if the attacker needs to create the connection, the shellcode is called a bindshell because the shellcode binds to a certain port on which the attacker can connect to control it.
It's in Niels Ferguson's public comments to NIST regarding XTS-AES and storage that's not on physical hardware. tptacek explained it in his comments how this attack works if you search them https://news.ycombinator.com/item?id=7675698#up_7676864
This service if I remember encrypts files/container with user keys then they encrypt it again on their cloud backup with their key, so it's not an encrypted backup sitting on a dropbox server. Of course you have to trust their keys won't be stolen by somebody wanting at those XTS-AES encrypted backups.
ls is a file listing in unix/linux. a 'bindshell' would essentially open a telnet port that goes directly into a command line shell. So, if your system was attacked, you might (since it's the most often command typed) use the 'ls' command to list your files. When you do that, you also open a shell on a specific port on your computer that has root access.
[1] https://en.wikipedia.org/wiki/Shellcode
On the other hand, if the attacker needs to create the connection, the shellcode is called a bindshell because the shellcode binds to a certain port on which the attacker can connect to control it.