What about the security of the destination server where the backups are stored? There is far more to worry about than just the security of the off-site backup data. By adding those weaker algorithms I’d be compromising the security of the entire server, not just the backups. There is far more on the server than just the Duplicati backup data.
See here for a more in-depth discussion of why Encrypt-Then-MAC is required and everything else is unacceptable: encryption - Should we MAC-then-encrypt or encrypt-then-MAC? - Cryptography Stack Exchange
Then it sounds like the proper answer is to use a more up to date and in-development SSH library in Duplicati, no? SSH.NET doesn’t appear to have had any meaningful development in the past two years. It doesn’t even support modern algorithms such as EtM HMACs, Curve25519, and ChaCha20-Poly1305. I would argue it would be better to strip the feature entirely rather than continue to support obsolete and potentially insecure encryption. At the very least put a warning on it that it won’t work with a properly secured server.
In any event this is a show-stopper for my use of Duplicati. It’s a shame too because version 1 worked quite well using an FTPS target server (which is going away and not possible to set up on the new server).