For confidence look at strace -fe trace=openat mariabackup and you'll
see the datadir files
are opened O_RDONLY.
I'm not a C programmer but I guess that means the openat(2) calls we can see mariabackup make aren't reckless, which is good.
In general I trust [Mm]aria* more than I trust myself, which points to the other problem: my script...
It's also possible to make the /var/lib/mysql readonly for this
service without affecting mariadbd.
Interesting. bind mounts are handy trick in lxc too. systemd is full of nutritious goodness. I keep meaning to read the manual but it's so long.
Selinux rules can make a tighter constraint, though would impede the
copyback functionality when a restore occurs.
Though could be enforeced on the backup context -
Many years ago I promised myself a special reward in heaven if I can get to my grave without having engaged with Selinux.