I did some experiments in the past. The nicer option I could find was enabling webdav API on the hosting side (it was an option on cPanel if I recall correctly, but there are likely other ways to do it). These allow using the webserver as a remote read/write filesystem. After you can use rclone to transfer files, the nice part is that rclone supports client side encryption so you don't have to worry too much about other people accessing files.

Yes, through Namecheap. Right now it's just hosting my personal site on WordPress, but I'm going to switch that soon due to Matt Mullenweg's drama or just take it down entirely.

You can always encrypt the backups you upload there.

Depending on the specs of the shared webspace it is possible to install some php based webdav software to easily sync files with it. KaraDAV for example.

If there was a way I could leverage the unlimited bandwidth/storage as an offsite backup, that would be amazing, but I'm not sure it would be a great idea backing up stuff to a webserver where there best security I can add it via an .htaccess file.

Your off-site backup solution shouldn't have to care about that level of security because you should be encrypting your backups before they leave your network. Even if you have a solid backup host in the cloud, you still want to encrypt your backup data before you send it to their hosted repo.

Unless your vendor has a reason to read your backups, they shouldn't be able to.

Oh and regarding the large TIF files, what limits are you hitting? Most hosters allow to change the php settings like memory limit or max execution time.

As others said, encrypt your backup before sending it to your server. And can't you upload the files to a folder outside of a document root or better outside of the www folder so there is no way to access it through the web server service?

I technically still have a hosted website, but it's rarely updated anymore. It's very low priority compared to my self-hosted stuff.