I can’t speak to the security of biometrics or TPM, but with regards to the old gHacks article that you’ve linked, this is a re-telling of blog post by Ambiso, which was thoroughly discussed both here on the Community forum and on Reddit when it was first published — and largely dismissed as FUD.
The quote from my contribution to the discussions back in March:
To answer your specific question about whether someone can “copy the vault to a thumb drive and brute force the pin”, please refer to this comment of mine, from a 2022 thread:
This comment from 2022 only demonstrates how brute-forcing might be done manually, and postulates that automation may be possible. However, Ambiso’s proof-of-concept from January 2023 demonstrates how an off-line brute-force attack can be automated using a script.