"When the above attack model is extended to include multiple clients independently updating the same repository, then Borg fails to provide confidentiality (i.e. guarantees 3) and 4) do not apply any more)."
Edit: I've posted this a bunch of times here, pretty much every time it caught my eye when someone said this tool has good crypto, and by now I'm used to people just downvoting it and saying it doesn't matter because obviously no one ever would use it like that and the design is fine etc. (isn't the point of deduplication to save disk space?)
I'm more concerned about the repository format and config file (i.e. attack surface, since the repo is potentially untrusted).
Performance is actually better than Restic, and performance-critical parts of Borg are written in C or use C libraries.