What is a secure set of permissions to give a set of files to be backed up?

On our server we have a number of users (i.e. clients) who need their code to be backed up. Their file permissions are usually 650 with user and group being user:user (where user is the actual user name).

In crontab we have a user, backup, that backups all the desired file paths via tarsnap. The problem is that because of the file permissions, backup can't access these. I can think of four solutions:

1. Set the cronjob to run as root. This is the easiest fix but I don't know if there is a security issue here.
2. Create a group that all users we want to backup and backup belong to. Set the default permissions to set the group for all these users to that group...the backup group seems like a good choice for a group name. This seems a bit difficult though. How do I change the default permissions for each user so that each file touched has the user user and group backup?
3. Modify the group permissions on all the files we want to backup. This is also easy but it also means every time a file is touched (i.e. modified or created) we'll have to modify the group. Not ideal.
4. Make the files world-readable. Is this a security issue?

What would be a reasonable configuration so that I can easily backup these files?

Just thought of one more…

5. Add the backup user to each of the user groups I wish to backup. This resolves the problem of shared access.

In doing some research, it seems like the semantics of /var/backups and the backup user are unclear. It doesn't seem dangerous to put backups in /var/backups but the recommendation there was not to use it for user backups since the behavior is undocumented (since 2001). Practically speaking, it seems that a lot of processes use /var/backups and the backup user ("user" is the wrong word to describe this though...since backup is not a proper "user" with a home directory, etc.) so in recommending its usage, we're not advocating something new.