Tested WSA against a screen-lock ransomware. When screenlock appeared I allowed system to run for a few hours.
In this particular case, WSA 126.96.36.199 journalling and rollback did not reverse malware actions and screenlock persisted.
Just a suggestion:
Incorporate an anti-screenlock feature into WSA that permits the user to disable the screenlock using a key ccombination, e.g. CTRL + ALT + DLT (2X)... or for increased protection, a user-defined combination of keys.