tar => openssl aes-256-cbc -in my_backup.tar.gz -out my_backup.enc => scp ?

Well, it's like a trial balloon of the proposal.
I would do this: go to gentoo via ssh, connect an encrypted disk, start rsync on ubuntu.
The encrypted drive will not be accessible without the key.
The key is lying on ubuntu in a place where there is only root access.

tar can increment. Well, then openssl already.

Read about LUKS partition encryption and SSHFS mounting (eg here and here ) On gentoo, create a physical partition or lvm or container. I won’t advise you on specific examples, I did it a long time ago, now there is no such need.
But everything was exactly like this:
I allocated a partition with LVM, encrypted it.
Connected the encrypted partition via mount sshfs entered the key
Next, any tool on your side will do.
Scp was still working for me (I was not familiar with rsync - now of course you can’t do without it)
You can do either a full backup, or synchronization, or archives, as you write.
You can still try to create an encrypted container and mount it if there is no way to make partitions.

In the end, I connected the necessary directory via NFS and poured a backup to it using duplicity and a script that makes life easier .