OK. I think I found the answer. There are TPM 2.0 vulnerabilities affecting computers probably being shipped since 2016. Maybe for some, TPM key storage can no longer be trusted. VU#782720 - TCG TPM2.0 implementations vulnerable to memory corruption .
See also this thread: