You don’t (cannot) encrypt pools. Only datasets. The root dataset (which shares the same name as the pool) is still a dataset.
If a dataset is passphrase-protected, then a thief has no access to its contents, since it has no “key” on the same server’s unencrypted boot device. Even if they can access your root dataset (with a saved keyfile), your passphrase-protected datasets are still safe.
EDIT: Furthermore, datasets are individual filesystems with individual properties. The way TrueNAS (and ZFS) presents them gives the illusion that they are permanently tethered together. But they’re not. You can replicate a dataset elsewhere (without its parent), even if it is currently “inheriting” properties. On this new pool, it preserves everything, including its properties that it no longer inherits from its former parent.
You can even get really silly and granular by nesting unencrypted datasets “below” encrypted ones. If the parent remains “locked”, the datasets underneath are still accessible and mountable. (TrueNAS does not allow this, to prevent a user from accidentally mounting this in the wrong order, which can cause a host of other issues. ZFS itself has no such limitation.)