Syncthing can be configured to keep revisions of each file, I use staggered file revisions, for different durations (90 days, 180 days), these will thin out the older revisions, have a look in the documentation linked in the comments. My initial idea was to combine this with ZFS/BTRFS snapshots, but I did not implement that yet, I could at any time.

Syncthing can be reached through the firewall, there is relays out there that it will connect to, so it is indirect connection then, but it works fine. Data transferred is encrypted, but you can also disable the relay function.

I use the tor hidden service because it is just nice, also in the LAN, to just plugin the Pi, then wait 2 minutes and it is available by SSH over the .onion address, this spares me from trying to find the local IP. Yeah I know how to do that by a network scan.

Also it is more fault prove, but I learned that Tor updates do not work fine when done in a screen and being connected via the hidden service. 🙁
Solution for this: sudo apt-get update && sudo apt-get install -o Dpkg::Options::="--force-confold" -y tor

What questions do remain?

I was always looking for a backup script that allows me to do a backup via some SSH connection to some server, it should be run daily and retain revision of each run up to a defined maximum age while using using hard links (I think that would save space in the destination), but then I would need a more performance computer that a RPi, because we are talking about a few hundred GB.
So the always on and syncing right away Syncthing is just working so good. But as said, combined with automated file system level snapshots that might just be it.

Open for suggestions and tips. Thanks for the valuable input so far.