The method I use is that I use rsync+ssh. I then create a regular backuppc user and limit sudo access to the tools needed to perform the backup, plus anything needed to be done as root in the pre/post backup scripts, such as my dbdump script. Here is my /etc/sudoers.d/backuppc:
# This file is managed by puppet. Do not edit locally.
Cmnd_Alias BACKUP=/bin/tar, /usr/bin/rsync, /usr/bin/mysqldump, /usr/local/sbin/dbdump
backuppc ALL=NOPASSWD:BACKUP
This allows me access to all the files to be backed up/restored, and limits the backuppc user to the specific tools needed to perform the task. An attacker could get in and cause mischief, but that risk is far overshadowed by missing backups in a DR type scenario.