tl;dr maybe try
docker exec -it web_only bash
chown -R discourse:www-data /shared/backups
And more words.
Without looking, I’d next try rebuilding the data container, hoping that whatever change was made also got made to (or affects) the data container.
The bad-advice answer is to make ...backups/default world writable and seeing the ownership of the backup.
So I think what you want to do is chown default to discourse.www-data in the web container (that’s the one doing the backups).
Here’s a recent single-container:
root@forum.mbse-capella.org(app):~$ docker exec -it app bash
root@new-app:/# grep www /etc/passwd
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
root@new-app:/# grep discourse /etc/passwd
discourse:x:1000:1000::/home/discourse:/bin/bash
At some points in the past the build process would chown all the files, but it can take a really long time, so I think that may have been removed at some point (this is more than a feeling than anything based on paying attention to commits).