I should have also added that you keep software up to date. Any previously exploited vulnerabilities (ideally) get patched over time. Of course, if you've been pwned at ring 0 by a persistent and active attacker, you've got more problems to worry about than automated exploitation of out-of-date software.
Assuming it's not ring0 or something equivalent, they will have, at most, whatever the time limit is between rotations. If you rotate every six months, they could conceivably have six months of data. And if the zero day is still not patched, they could have another six months, and another, and another. There's no guarantee of not being compromised. It's just a matter of not making it easy by using the same passwords and same software versions for years at a time.
If your disk encryption software gets exploited, then presumably it's a hop skip and a jump to make your way into the kernel, rendering recovering from tainted backups pointless. You'd have to start from scratch with new encryption software that you trust hasn't been exploited.
There's always a chain of trust that you have to follow down. It just gets harder to mess with the deeper you go. Not impossible, just more difficult and less likely to be entirely automated.
