Having Duplicati back up its own databases is tricky because they can be either locked (which –snapshot-policy can help) or not yet done (which --snapshot-policy can’t fix but having jobs back each other up can).
The SYSTEM profile is a bit more secure against users (but not Microsoft). It protects Duplicati better (the passwords, for example), but my databases are under ProgramData, with Security set to my liking (open)
Migrating from User to Service install on Windows is my input to a similar discussion to change the default rather than have Duplicati get wiped away twice a year. I’m not sure if it’s controversial, or just not yet done.