Mine’s about the same as just said. Anything that can be written like a local file is an easy target (unless special measures are taken, e.g. unplugging a drive). Remote can make it harder to get into. Preventing irreversible damage to remote (even if access is obtained) can take work, however it’s possible. It’s also possible that another backup software is designed around ideas like legal record retention requirements, which may focus on immutability (even by the backup administrator), and so may also impede malware.
You’d need to get technical with your salesperson, but if all they said was “in the cloud”, that’s says little, beyond it’s at least one large step better than laying around in local files. But your method has that too…
For your purposes, a lighter weight solution of reverting damage might be easier than trying to prevent it.
Restore your OneDrive is a feature (which I have not used) which lets you revert to before file damages.
“Write only backup”: Is it possible to protect my duplicati backups on a remote backup against deletion?
talked about doing your own snapshots to achieve a similar goal. The next idea uses chattr on the files:
SFTP/SSH backups to a Linux server with added security
Regardless, any serious backup strategy should use multiple backups. If you use some other software to some other destination (or even the same one), chances of both breaking or malware getting in go down.