Thanks for your reply AND advice.
We actually add an IAM user to our account for each client with just one single S3 policy that restricts their access to just get the content of their backup folder. They never login in AWS. We install and configure an app like Cloudberry Explorer, S3 Browser or Mountain Duck on one of their machines to access their backup files.
The one flaw in this system is indeed that they see all the other customer's backup folders. But they have no access to them. So we might switch to one bucket for each customer.
We were looking into your