Ransomware and truenas snapshots

I have a question about the nature of snapshots in truenas in general. The way I understand it is that snapshots take the differential of the system state from the last snapshot.

One thing I have always worried about is that because the nature of ransomware is to encrypt all your files, this would effectively be considered a system state change. If the ransomware finishes encrypting all your files then your snapshot will become the size of all your files from the way I understand this.

Assuming there were 1 Tb of files, this would cause the total capacity to now be 1 Tb original (now encrypted) + 1 Tb snapshot differential = 2 Tb total drive capacity used.

So the question is, is my entire NAS safe when using snapshots against ransomware only and only if I have at least over half of my NAS capacity remaining to store that new snapshot from pre ransomware attack?

It will stop writing if it runs out of space but not purge the snapshots.

Good to think about these scenarios. I see your reasoning but it can not be safely taken that far because the attackers may only encrypt a small fraction of the files. In the simplest case, they do not encrypt files required for your operating system to boot and let you know how to pay.