It’s the simplest solution. Make sure you confirm and check each dataset replication after it’s done.
Nothing to do with ZFS. When you do a file “move”, it deletes the original after it gets copied to the new dataset. If you lose power, or accidentally abort the operation, you’ll be left in a half-complete state, and you might later realize something that you didn’t think about before. Then it would become difficult to undo the “move” to your original pool’s state.
Encryption is per dataset. If a parent is encrypted, but a child is not, then yes, the files on the child dataset are easily accessible. With any Linux box, you can independently “mount” the child dataset without needing to unlock its parent.
The only relation encrypted children have to their parents is if they share a common “encryptionroot”, which allows them to be unlocked together with the same key/passphrase, seamlessly.
As for “it’s not allowed”, that’s a TrueNAS policy. The middleware tries to prevent you from doing this. Since you used the zfs rename command, you bypass the middleware. Otherwise, TrueNAS would not allow it.