ProgramData is what I run, but using --portable-mode on the install has been suggested (config is under Program Files, which some people see as wrong). Main drawback/advantage that I see in ProgramData relative to the profile for SYSTEM is that file permissions are more open – and database hold credentials. They’re obfuscated on Windows, but it’s mostly to thwart unsophisticated malware, e.g. string scanners.
Tray Icon does not start after setting a UI password (Service Mode) suggests an advantage of loosening access to the config. TrayIcon needs to use a lower-level HTTP interface to check server status, and its method of getting the password is to read the DB. But TrayIcon runs as users, so user might see things intended for some other user on multi-user system. Web UI has similar problem for a SYSTEM service.
There seemed at one time to be an idea of how to fix TrayIcon, but even now, ProgramData seems best. Would anyone care to check GitHub issues to see if it’s actually requested? Migration is also an issue…
Duplicati creates large files in the roaming part of the user profile on Windows #2222 is linked from my first link, and there the --portable-mode suggester also suggests ProgramData. A big technical analysis follows.
To make things more complicated, a service doesn’t have to run as SYSTEM. It can run as some end user.