Defense against trojans gets into the append-only idea. It doesn’t do much to prevent reading your backup, however if the attacker is already on your system, they can read your original files. Other options include to have Duplicati run as a Windows service as the SYSTEM user, and an attacker that can only get in as you won’t be able to access the Duplicati databases (assuming you’re a Standard User, not an Administrator). Avoiding password reuse is, as always, a good idea so as to limit the damage if something gets revealed.
Although you seem to be talking about an attacker on a live system, full drive encryption can prevent some other hazards such as losing a laptop and having all your secrets just sitting there in clear text on the drive. Less heavy than full drive encryption might be to use encryption (tied to your login) on the databases folder.
Windows Encrypting File System can do this. How to encrypt files and folders in Windows 10, 8 or 7 gives more information on this, and also on BitLocker (for FDE). Note that Windows Home lacks both of these… There are other Windows solutions around, and Linux has its own set (presumably most OSs have some).