There are two different things at play here:
- Saving files only available to
root, like/etc/shadow. That must be achieved by running restic as root (or give it appropriate capabilities), there’s no way around it. - Creating new files within a repo as a different user, which may become an issue when you run other restic commands as a different user. For example, if you run
restic mountas a normal user, it may happen that this user is not allowed to read a file in the repo created byroot. That probably won’t work.
So, there’s no good solution for a local repo. I’m leaning towards running all restic commands as root, because otherwise an unprivileged user can read data from the repo, which includes privileged files (like the shadow file), this may lead to privilege escalation.