The approach I am taking is background sync of all user-created data into git with automatic one-way replication not accessible through SMB. Git has plenty of tools to manage that and I simply automate all this without exposing the user to the commit process. That way I can just reimage the machine and replicate undamaged data back onto it. The problem is detecting data exfiltration and I don't have a solution for that yet.