Doing what? There’s no prior objective stated in the post. If you mean the topic title, then your service is running as SYSTEM by default (which is dangerous because Windows version upgrades wipe out files) therefore you get some protection from file access of ordinary users but not from elevated Administrator.
The Duplicati-server.sqlite file is also weakly encrypted with a default password which you could change. The purpose of the scrambling is to impede simple string scanners and maybe SQLite database readers (because unfortunately for legitimate usage, not many tools know how to deal with this encryption at all).
So this bypasses file permissions and also encryption, and there’s not a separate login for administrator, although that would be a nice enhancement. I think there’s a request, but not enough volunteers to help.
Basically, Duplicati trusts its user. It will also show secrets to them in Export As Command-line because they have to be passed to command line somehow. parameters-file can at least keep them a bit private.
It will also use such secrets when going to S3, because S3 needs to authenticate it. A system owned by some sophisticated attacker is kind of lost because they can simply get its secrets out using a debugger.
This is how people try to save backups of a completely compromised system. There are forum posts on that, however it’s difficult and set-it-yourself. If Duplicati never deletes, backup gets huge and gets slow. Keeping all versions and never compacting is the main path to this, but upload retries can be a concern.
S3 compatible providers sometimes support object lock, but Duplicati like many programs doesn’t use it. There might be a web page somewhere of some that do. I can think of two, one expensive, one far less.
There are other kind-of-awful schemes one could do, such as periodically snapshot regular destinations into immutable ones. If you do that, snapshot of Duplicati local database at the time would ease restore. Immutable need not be truly immutable, just immutable against anything that the client system could do. Limited-time immutability could also be achieved by object lock, I think, but it’s a fairly complicated area.
It really depends on what you’re trying to protect against. Some people do file-level security of database by encrypted filesystem. That can help protect stolen laptops, but there are lots of attacks it doesn’t stop.