So one approach I am using is to have 2 email servers on separate physical servers: current, archive. Archive becomes a mirror of current with respect to users. So user1@domain.com, user2@domain.com has user1@archivedomain.com, user2@archivedomain.com. If I am user1, I can have both accounts on all my devices (TBird, iOS, etc.). I then use this tool (https://imapsync.lamiral.info) to migrate current emails (but older) to archive. The tool is ugly, but works incredibly well. And since I only update the archive email server once or twice per year, I can backup less frequently since a backup from today has the same content as one generated 6 months ago. One of the other benefits is that I use SoGo EAS for current. The smaller the mailbox size the better it behaves.
Security is not much stronger other than having a smaller blast radius and the need to penetrate 2 accounts instead of 1. If IMAP and POP3 could be disabled on the archive mail server and 2FA TOTP, passwordless, etc. be enabled to access webmail, that would be a better archive option.
1
