The repository data only contains sha256 hash of file chunks, but no sha256 hash of the whole file. Calculation that hash won’t work without reading the whole file from the repository (in which case you could just restore to a temporary location and run shasum afterwards). See capture and validate backed up files checksums · Issue #1620 · restic/restic · GitHub for a feature request regarding a full file hash.
But I wonder whether it’s really necessary to provide full file hashes. It would probably be sufficient to let restic do the checks itself, using some sort of diff against local files.
That said what would also work is to create a new backup --force and then use the diff command to look for unexpected changes.