I think this is already sufficient to protect from automated ransomware, from what I see it is rather simple, you just need to be better protected that the least protected half.
I use an uncommon way to compose my password from a password locked to my user account. This way it isn't enough to steal my config and rclone script, you would also need an IT knowledgable to find and execute the script from my user account. I consider that very unlikely unless you are a high value target. My script is inspired by this post.
The only way to truly protect against an IT knowledgeable human having access to you account is to have versioned backups behind a wall needing 2FA to delete/modify the historic versions, like @asdffdsa is doing with S3 policies. I do something similar using a server acting very much like the rsync.net snapshots.
Sounds like you will be happy to read this: