If you’re sending zfs snapshots (and not deleting them), doesn’t that give you protection against ransomware? If so, a high number of files changed might be exactly when you want to snapshot and replicate, to minimize the worst case outcome (that the ransomware gets root and zfs destroys your local copy).
Yes, but if your hypervisor is compromised, ZFS Snapshots could theoretically also been deleted/modified/etc. - I wanted to cover this scenario. This is still work-in-progress and my script currently just aborts early in case of anything suspicious. Also, the file changed check only applies to my Borgmatic solution, ZFS only works at the snapshot/dataset level.
