You've gone to quite a length to get read-only backups by doing
read-only localhost NFS and so forth. Here's another problem...

I've solved one other thing that sets my alarm bells going. I have a
central backup machine that can back up multiple hosts. The trouble is,
preserving ownerships and permissions involves running rsync as root on
the backup machine. I didn't like this at all, because then in theory a
compromise on rsync using one machine being backed up could compromise
the backup machine and therefore everything else as well.

Enter Debian fakeroot. This was originally written to allow Debian
package builds without needing root. I've patched it to save the
environment between invocations (which is now upstream in Debian
testing), and use it with rsync to make backups with only root on the
to-be-backed-up machine and not root on the machine doing the backup.

It's attached below. The other small note is that I'm using Kerberos for
authentication, but this could be changed to ssh keys just as easily.

The script expects a subdirectory from the cwd named the same as the
host to be backed up, with a "backup.keytab" (the Kerberos equivalent of
an ssh key, kind of) for authentication and an exclude file (because
/proc needs to be excluded so often for backing up entire hosts). It'll
stick a directory in there named after the date of every snapshot.

This mechanism should improve security somewhat.