Snapshots do not have ACL applied

[tblancher]

I'm running snapper 0.10.2-2 on Arch Linux, on kernel 5.18.10, with CONFIG_BTRFS_FS_POSIX_ACL=y compiled into the kernel (Btrfs defaults to acl on when configured in the kernel). I have ALLOW_USERS and ALLOW_GROUPS set to my "backup" user and group, along with SYNC_ACL set to "yes" in my home snapper config.

/home/.snapshots definitely has the proper ACL applied:

getfacl: Removing leading '/' from absolute path names
# file: home/.snapshots
# owner: root
# group: root
user::rwx
user:backup:r-x
group::r-x
group:backup:r-x
mask::r-x
other::r-x

However, none of the snapshots do, as seen in ls -alh /home/.snapshots:

drwxr-xr-x+ 1 root root 220 Jul 16 15:01 ./
drwxr-xr-x+ 1 root root  40 Jul  2 07:49 ../
drwxr-xr-x  1 root root  32 Jan  1  2022 16437/
drwxr-xr-x  1 root root  32 Jul  1 00:00 24706/
drwxr-xr-x  1 root root  32 Jul  4 00:00 24849/
drwxr-xr-x  1 root root  32 Jul 10 00:00 25135/
drwxr-xr-x  1 root root  32 Jul 11 00:00 25182/
drwxr-xr-x  1 root root  32 Jul 12 10:10 25212/
drwxr-xr-x  1 root root  32 Jul 13 00:00 25238/
drwxr-xr-x  1 root root  32 Jul 14 00:00 25284/
drwxr-xr-x  1 root root  32 Jul 15 00:00 25331/
drwxr-xr-x  1 root root  32 Jul 16 00:00 25378/
drwxr-xr-x  1 root root  32 Jul 16 07:00 25391/
drwxr-xr-x  1 root root  32 Jul 16 08:00 25393/
drwxr-xr-x  1 root root  32 Jul 16 09:00 25395/
drwxr-xr-x  1 root root  32 Jul 16 10:00 25397/
drwxr-xr-x  1 root root  32 Jul 16 11:00 25399/
drwxr-xr-x  1 root root  32 Jul 16 12:00 25401/
drwxr-xr-x  1 root root  32 Jul 16 13:00 25402/
drwxr-xr-x  1 root root  32 Jul 16 13:01 25403/
drwxr-xr-x  1 root root  32 Jul 16 14:00 25404/
drwxr-xr-x  1 root root  32 Jul 16 14:01 25405/
drwxr-xr-x  1 root root  32 Jul 16 15:00 25406/
drwxr-xr-x  1 root root  32 Jul 16 15:01 25407/

Note no + indicating a POSIX ACL is applied to any of these subdirectories/subvolumes. This makes it difficult for the backup user to read and backup these snapshots (using Borg Backup, but the backup software for this particular problem is irrelevant). In my Borg logs I see several permission denied messages for various files in these snapshots. I do notice that snapper does not apply a default ACL to /home/.snapshots, which may be the root of the problem.

What I expect is for the read/execute bits to be allowed for the "backup" user, so I don't need to apply special ACLs to the /home subvolume, irrespective of /home/.snapshots. Is this a limitation of snapper, or the underlying Btrfs implementation?