To answer your question,
Well, if that's the case then, Azure SQL transparent data encryption with customer-managed key may help
Azure SQL transparent data encryption (TDE) with customer-managed key enables Bring Your Own Key (BYOK) scenario for data protection at rest, and allows organizations to implement separation of duties in the management of keys and data. With customer-managed TDE, customer is responsible for and in a full control of a key lifecycle management (key creation, upload, rotation, deletion), key usage permissions, and auditing of operations on keys.
Once a database is encrypted with TDE using a key from Key Vault, any newly generated backups are also encrypted with the same TDE protector. When the TDE protector is changed, old backups of the database are not updated to use the latest TDE protector.
To restore a backup encrypted with a TDE protector from Key Vault, make sure that the key material is available to the target server.
Key Vault is highly available and scalable secure storage for RSA cryptographic keys, optionally backed by FIPS 140-2 Level 2 validated hardware security modules (HSMs). It doesn't allow direct access to a stored key, but provides services of encryption/decryption using the key to the authorized entities.
One of the Benefits of the customer-managed TDE is Greater trust from your end customers, since AKV is designed such that Microsoft can't see nor extract encryption keys;
All points are from reference document Customer-managed transparent data encryption (TDE) - Azure SQL Database & Azure SQL Managed Instance & Azure Synapse Analytics | Microsoft Learn
Please have a look
Thank you!