First of all, this.
While TrueNAS leverages ZFS, it automates some things that are not inherent with ZFS.
With regards to TrueNAS specifically: Whenever you use a “key” (or keystring) to encrypt a dataset, it saves it on the boot-pool, without a means to “lock” the dataset. (You can only “lock” a passphrase-protected dataset.) To reiterate: This is specific to TrueNAS, not ZFS.
In order to wipe the key for such datasets, you need to export the pool.
However, unless you’re using “raw streams” to backup via replication, then the destination still needs to be unlocked for every replication.