diff --git a/changelog/unreleased/issue-1756 b/changelog/unreleased/issue-1756
new file mode 100644
index 000000000..f735cf1f9
--- /dev/null
+++ b/changelog/unreleased/issue-1756
@@ -0,0 +1,15 @@
+Bugfix: Mark repository files as read-only when using the local backend
+
+Files stored in a local repository were marked as writeable on the
+filesystem for non-Windows systems, which did not prevent accidental file
+modifications outside of restic. In addition, the local backend did not work
+with certain filesystems and network mounts which do not permit modifications
+of file permissions.
+
+restic now marks files stored in a local repository as read-only on the
+filesystem on non-Windows systems. The error handling is improved to support
+more filesystems.
+
+https://github.com/restic/restic/issues/1756
+https://github.com/restic/restic/issues/2157
+https://github.com/restic/restic/pull/2989
diff --git a/internal/backend/local/local.go b/internal/backend/local/local.go
index 19f083a29..34ac3a20e 100644
--- a/internal/backend/local/local.go
+++ b/internal/backend/local/local.go
@@ -130,7 +130,15 @@ func (b *Local) Save(ctx context.Context, h restic.Handle, rd restic.RewindReade
 		return errors.Wrap(err, "Close")
 	}
 
-	return setNewFileMode(filename, backend.Modes.File)
+	// try to mark file as read-only to avoid accidential modifications
+	// ignore if the operation fails as some filesystems don't allow the chmod call
+	// e.g. exfat and network file systems with certain mount options
+	err = setFileReadonly(filename, backend.Modes.File)
+	if err != nil && !os.IsPermission(err) {
+		return errors.Wrap(err, "Chmod")
+	}
+
+	return nil
 }
 
 // Load runs fn with a reader that yields the contents of the file at h at the
@@ -205,7 +213,7 @@ func (b *Local) Remove(ctx context.Context, h restic.Handle) error {
 
 	// reset read-only flag
 	err := fs.Chmod(fn, 0666)
-	if err != nil {
+	if err != nil && !os.IsPermission(err) {
 		return errors.Wrap(err, "Chmod")
 	}
 
diff --git a/internal/backend/local/local_unix.go b/internal/backend/local/local_unix.go
index 74fb47bf4..cc99d4a0b 100644
--- a/internal/backend/local/local_unix.go
+++ b/internal/backend/local/local_unix.go
@@ -9,6 +9,6 @@ import (
 )
 
 // set file to readonly
-func setNewFileMode(f string, mode os.FileMode) error {
-	return fs.Chmod(f, mode)
+func setFileReadonly(f string, mode os.FileMode) error {
+	return fs.Chmod(f, mode&^0222)
 }
diff --git a/internal/backend/local/local_windows.go b/internal/backend/local/local_windows.go
index be8f62d96..ccf788072 100644
--- a/internal/backend/local/local_windows.go
+++ b/internal/backend/local/local_windows.go
@@ -7,6 +7,6 @@ import (
 // We don't modify read-only on windows,
 // since it will make us unable to delete the file,
 // and this isn't common practice on this platform.
-func setNewFileMode(f string, mode os.FileMode) error {
+func setFileReadonly(f string, mode os.FileMode) error {
 	return nil
 }