Coming back to this, I'm now wondering about the attack surface of a sub-domain serving as an alias to our DO space. How tough might it be for someone to find contrived-subname.mydomain.tld, an alias for foo-bucket123. And then how tough might it be for that someone to access the space once they find the name?
I guess the stock answer is "it's all secure", but in practical terms, I'm still not sure if we're giving significant credit to security by obscurity.
I'm just looking for the "right" way to get regular backups of internal data, and I don't want to do anything stupid or get any surprises with basic usage.