Defense against trojans

I agree, but this is actually not possible. Duplicati needs access to the destination, so the process that runs Duplicati needs the credentials in clear.

On a compromised machine, ransomware can read such credentials, and do whatever Duplicati can.

Storing the data in an OS keychain only guards against cold attacks, not when Duplicati is running.

The only true way to guard against ransomware is to guard the server, and have a “no updates, no deletes” user. This means that backups grow forever, but that they are always intact.

Network shares do not offer this, AFAIK. Until now, network shares really have been the killer path for ransomware, so for that reason I would recommend not using it if possible.