Good question. This is a bit tricky and you may argue about the term "offline". My offsite ZFS array sits at a remote location (my parents house, 100km distance - just enough for a nuclear strike). It is automatically turned on using a Shelly PlugS on a timer, once per week. It then connects via VPN automatically to my main site, runs some checks for ransomware (like changed file-count), pulls ZFS updates and then shuts down again.

If you’re sending zfs snapshots (and not deleting them), doesn’t that give you protection against ransomware? If so, a high number of files changed might be exactly when you want to snapshot and replicate, to minimize the worst case outcome (that the ransomware gets root and zfs destroys your local copy).

Yes, but if your hypervisor is compromised, ZFS Snapshots could theoretically also been deleted/modified/etc. - I wanted to cover this scenario. This is still work-in-progress and my script currently just aborts early in case of anything suspicious. Also, the file changed check only applies to my Borgmatic solution, ZFS only works at the snapshot/dataset level.