ZFS native encryption doesn’t deal with physical drives, partitions, block devices, or pools. The only things that are encrypted are datasets. The “root dataset” (same name as the pool) is also a dataset. It’s recommended to leave this unencrypted. You can encrypt child datasets underneath.
This flowchart helps to understand how this works. The pool (cylinder) is not involved. The root dataset “tank” is unencrypted. The datasets underneath can be “encryptionroots”. Maybe “zroot1” is encrypted, while “zroot2” and “zroot3” are unencrypted? It’s your choice what you want to do.
Sometimes you need to deny yourself access to your own data. Jekyll must not know what Hyde is up to.