The authentication details are stored in the DB and certainly not easily readable. That data in the DB is encrypted and you cannot just decrypt that. But that being said, a very specific written Trojan might succeed in getting that information out and then access the NAS and encrypt your backup files. Far fetched? Maybe, possible, unfortunately.
When you backup to a Veeam server, it is still the client who manages retention. After all, in the client, you can change the retention from 7 days to 1 (for example) and the change will be done on next backup.
But if you read through this entire thread (I know, it is a lot
) you will certainly find good mechanisms to defend your system. If you consider backup to a VBR repository, then you can do backup copy jobs of that data to a repository that supports rotating drives.
As you will see in this thread, you can harden your solution as much as possible, making the possibility of losing your backup files much less possible, but as long as it is not air-gapped, there is a risk. At my home (for the family) I simply use rotating USB devices (and the nice little checkbox to eject the device after backup). The only thing I had to do was teach my family (make that the kids, they understood it faster
) that each day they need to unplug the USB, and plug in the other one. Yes it is manual work and it is not fault-proof but it could be that simple