Good and important topic! I am not really sure how it works for Google, but for MS onedrive, the rclone.conf contains an access token, once you have that, you can do whatever you want on the share, no new login etc. required as far as I can tell, unfortunately.
I think you are absolutely right to consider this attack vector and look at possible mitigations, and really, there are only two possible solutions:
Configure backend with append-only, immutable mode, object-locks, custome retention policy etc. (not possible with many low-end cloud storage solutions)
Require human intervention during the backup process to provide credentials
I went for #2, and documented my approach here, if you are interested: