After some time, I have re-arranged my backups. I’m now using duplicacy to backup from NAS1 to NAS2 via sftp wherein the sftp user is called backup.
Using your suggestion on the immutable attribute, a root cronjob on NAS2 executes the following commands:
chown -R root:backup * chmod -R 755 * find . -type d -print0 | xargs -0 chmod 1775
The last command sets the so called sticky bit for all directories of the storage. Thereby only the owner, which is now root, can delete or change files within that directory. Because the backup user is in the backup group, NAS1 connecting via the backup user can still add new files with the next dulicacy backup run.
The prune command is running as root on NAS2. For this purpose I had to set up a local repository (source) which is more or less empty but is connected to the same storage (target) to which NAS1 is connected. Using the “prune -all” allows to prune the snapshot revisions from the NAS1 backup.
Hope this helps some people to set up a backup which survives a malware attack or a breach.
Any further suggestions are always welcome.