I would also like to contribute something to the suggestions:
The method described by Andy (if you use proxmox) is excellent when it comes to a complete restoration and even if it is only about individual files (which of course you have to know explicitly).
However, if it is about the restoration of individual services (because something does not work there, e.g. after updates) - and new data has already been written in the other services (or containers), Proxmox unfortunately does not help or then it becomes very complicated.
At the latest this point, the new Neth8 backup system becomes important because it can also be restored to individual services (containers), but the rest on the host remains as it is (as far as I understand). So it is not a bad idea to use this backup system in the general.
However, I personally am not a friend to grant a Host writing on a backup system (whichever), because in the worst case, a compromised host can also delete or compromise all backups (provided that the backup server has no precautions here).
Normally, it is therefore my usual approach to create a backup via RSYNC in which the backup server gets the data to be secured from the host (pull). So the host itself has no writing on the backups and the backup server in principle does not require any wrapping on the host. Of course, this has the disadvantage that the backup server now needs extensive reading elaborations on the host and this is of course also a question of trust, because with the usual RSYNC the files are transmitted encrypted but mostly read or stored in plain language. But this backup can also be removed incrementally.
And here it will be interesting again the Neth8 backup with a local storage. This backup can be (will) be encrypted and - because it is located locally - then of course also available for an external RSYNC backup. The RSYNC does not have to secure the whole system, but only the local backup drive or the backup folder. As intended, special things can then be restored from the local backup - and yet the whole backup is also on the backup server (e.g. far away). In this way we have a good mix of convenience, speed and data security, because we can also hold a spatially distant copy of the backup (e.g. for disasters). In the worst case, we could even copy backup data from the backup server back to the local Bckup on the host and secure it from there (I assume).
Of course, when using proxmox, the secure image of the local backup savings store would always be available (and all PBS (Proxmox Backup Server) backups can also be synchronized very well), but the method described also works without virtualization and purely with Linux on board.
Greetings Yummiweb