
Absolutely. A good backup product should be configurable so that old backups cannot be deleted. Of course, space is limited, so they should be able to expire at a set age, or when available capacity is depleted. On a snapshot-based system, redirect-on-write and dedup are unavoidable, so it should be easy to see if malware is busy encrypting everything, as there should be an unusually high rate of change of capacity. This assumes you're actually monitoring it.
Fundamentally, there are so many bad designs out there. I'm not going to name any names, for reasons that should hopefully be obvious. A certain customer, responsible for a large piece of transportation infrastructure, was using a well-known virtualisation product. Many hosts (100+) were using a high availability solution which used ssh to manage failover on this virtualisation product. And each was using the same SSH key, which gave full admin access. So, given access to any of these hosts, you get access to everything. A rogue user could cause $billions in lost business.
Of course, I pointed this out. Was anything done?