Ransomware and truenas snapshots

I have a question about the nature of snapshots in truenas in general. The way I understand it is that snapshots take the differential of the system state from the last snapshot.

One thing I have always worried about is that because the nature of ransomware is to encrypt all your files, this would effectively be considered a system state change. If the ransomware finishes encrypting all your files then your snapshot will become the size of all your files from the way I understand this.

Assuming there were 1 Tb of files, this would cause the total capacity to now be 1 Tb original (now encrypted) + 1 Tb snapshot differential = 2 Tb total drive capacity used.

So the question is, is my entire NAS safe when using snapshots against ransomware only and only if I have at least over half of my NAS capacity remaining to store that new snapshot from pre ransomware attack?

It will stop writing if it runs out of space but not purge the snapshots.