Nobody wants a data exfiltration, but most of the time data is exfiltrated before encrypted. It would be great to make canary files traceable and unique so that if data is exfiltrated, we could search for leaks on the dark web.

That means. Be able to place canary files on targedet locations (example network shares). The canary files should be updated regularly so that it would be possible to identify when data was leaked.

Maybe with a reporting functionality as canary tokens?

That way, you can also find insider threats of trusted people leaking data out on the dark web without encrypting all the files afterwards.