The container capture preserved the app's ownership (e.g. www-data 0640), so restic still hit permission denied on the staging copy. chown the staging tree to the backup user after capture (modes unchanged, so the owner reads fine); real ownership is reapplied from the descriptor on restore. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>