I use Linux mount namespaces to work around this. My restic wrapper takes ZFS snapshots of all pools, does a unshare(CLONE_NEWNS), sets private mounts, sets up the sandbox with snapshot mounts, bind mounts what needs to be read-write like caches, tmpdir, log dir, does the pivot_root dance to create a mirror view of the real filesystem and runs restic as per usual. This way paths show as they really are in the sandbox and backups are atomic and don’t run off the live changing system. A namespace alone isn’t enough as a bind mounted path in child ns disappears if the source file/dir is unlinked in the parent. E.g., if you bind-mount a file in child ns, edit and save with vim in parent, it will disappear from the child ns as vim unlinks and renames on save. By running off snapshots which are read-only also in the parent ns the sandbox is shielded from such behaviour.
I bind mount /dev and /run into the sandbox rw to make journal logging work seamlessly and to be able to notify systemd service manager as the wrapper is of type notify. But as it handles alll sandboxing itself, it runs just as well without systemd and I don’t need to rely on PrivateMounts=yes or other sd sandboxing.
I don’t unshare user as I don’t want to deal with uid/gid mappings and want to ensure backed up files have correct permissions. This means running as root which is fine by me as the system is shielded by the sandbox. Snapshots are destroyed on exit and all mounts torn down automatically by kernel leaving no trace of anything behind.