I pay for a second inexpensive mailbox at Mailfence and sync the contents of the Fastmail account to a subfolder of the Mailfence account. There is rate-limiting involved, so my config is dialed down on "pipelinedepth" to ensure I don't hit that problem (you can easily overrun the Mailfence side pushing too much too fast). The cron runs via a unique user account on a cloud server every 4 hours using unique passwords (see below).

cron runner's ~/.mbsyncrc

    # Source
    IMAPAccount imap-src-account
    Host imap.fastmail.com
    Port 993
    User <user@domain.com>
    PassCmd "cat <redacted>/.secure/psrc"
    SSLType IMAPS
    SystemCertificates yes
    PipeLineDepth 1
    
    # Dest
    IMAPAccount imap-dest-account
    Host imap.mailfence.com
    Port 993
    User <username>
    PassCmd "cat <redacted>/.secure/pdst"
    SSLType IMAPS
    SystemCertificates yes
    PipeLineDepth 1
    
    # Source map
    IMAPStore imap-src
    Account imap-src-account
    
    # Dest map
    IMAPStore imap-dest
    Account imap-dest-account
    
    # Transfer options
    Channel mailsync
    Master :imap-src:
    Slave :imap-dest:SubFolder/
    Sync Pull
    Create Slave
    Remove Slave
    Patterns *
    CopyArrivalDate yes

Note: use the Fastmail option to set up a READ ONLY IMAP user password! (it's a really cool feature of Fastmail that many others do not support) Mailfence also has per-service passwords, set one up for IMAP as well. Do not use your main login passwords if you can avoid it - $0.02.