Thank you everyone for all the helpful and informative replies. I ended up using zfs without encryption in a configuration similar to what David had suggested. To summarise:
1. I was concerned hiding the SAS drives behind cgd could interfere with low-level fault tolerance mechanisms of zfs (which I'm rather clueless about). 2. Stacking cgd on top of zfs also seemed unnatural as was pointed out, and would also diminish part of the value of using zfs. 3. Brandon pointed out that historically very large cgd volumes may have been easier to compromise, another reason not to stack cgd on top of zfs. My current setup is zfs on gpt with no encryption. If/when I have a secondary backup in place, I may revisit 1, since zfs on cgd still seems like a reasonable pattern to me. I wonder if native zfs encryption may come to NetBSD at some point (and if I would want it at all).
