I’m interested in the mention of “data loss”. My understanding is that prune will only run when there are no backups in progress (due to locks held and periodically refreshed by the client during the backup process), and the scope for prune doing anything unwanted here is it jumping in after a client has disconnected part-way through a backup, and then removing data the client had already uploaded.
The outcome as I understand is then that the client has to go through the bother of re-uploading that same data which prune may have just removed. While that may be important if you’ve got limited client bandwidth or pay for data, I’m not sure I would describe that default behaviour as “data loss” as it can’t affect any data in completed backup snapshots.
A potential improvement for restic might be for prune to only consider removing unreferenced data if it has been stale for a (configurable) bit, in the hope the client will come back and complete its backup. Maybe that’s already in the plan.