* Unless you get an Evil Maid attack [0], like adding a physical keylogger to the keyboard bus.
If the device is decrypted but on lock screen (like with TPM) there are more options, the main one is reading memory via DMA [1] on an ExpressCard slot (eg the wifi card). Also swapping out the memory to do a cold boot attack [2] is possible.
Actually, attacks using Thunderbolt PCIe capabilities are too much realistic that it is no longer funny (and it is not just a security bug, its a real feature).