Yes; if we assume the machine has been pwned, then whatever we can still trust is anywhere else but in that machine. At best we can come up with ways to securely smuggle bits through the pwned machine between two trusted endpoints; but we cannot manipulate any secrets on that machine.
(Trusted computing relies on some tamper-resistant core of the machine not being pwned when the rest of it is pwned.)
(Trusted computing relies on some tamper-resistant core of the machine not being pwned when the rest of it is pwned.)