Experimented. Bottom line: The
backup is done on behalf of the "system", everyone else can access the disk / volume / folder with the backup.
The same "system" has access to all drives by default.
The difference between "Disk for archives" and "Volume for archives" is the ease of use of the first option and the convenience of the second for, say, a file dump of unnecessary files.

The correct backup is done a little differently: We put a
separate computer for backup. Under a normal operating system - I recommend FreeBSD, there are practically no viruses under it; you can take a NAS. Windows will either 'share' the folders that need to be backed up; or has a backup agent. Then the backup machine itself pulls the necessary data onto itself. Windows basically does not have the ability to write to a backup machine.
There is another option:
Install Linux. Inside we put a virtual machine, Windows on it. As necessary, data from Windows is backed up to the host system, and again, Windows, in principle, does not have the ability to write to where the backups are stored, everything is written by the host.

The rights to write, change, delete only for the user Backup
This user should not be an administrator, and no programs other than backup should be run on behalf of this user.
Everyone else, especially administrators, should not have permission to write, modify, or delete archives.

1. How to back up correctly: on a disk for archives or on a volume?

The difference is not entirely clear. In general, the system works with volumes - a letter is assigned to a volume. In principle, you can write data to a volume without a letter, but how you will work with the disk is not clear. It already needs special software.