[bobdvb]

There's a thing called Trusted Execution Environments, they're provisioned by the phone manufacturer which is why most people who play with ROMs aren't familiar with them either. But they're heavily related to TPMs.

Basically TEEs allow code to be executed that the OS has no control over and the OS cannot hope to even touch the memory, it's hardware separated by the SoC (system on chip). There are cryptographic accelerators which can be used to sign things and encrypt things, again which the OS has no ability to see this and secrets can be held in ways that the OS can never touch.

Use of the TEE depends on the bootloader being signed and the OS boot process being authenticated. There are other aspects around Android as well, not specifically related to TEE, around user processes never being able to have privileged access, but TEE is a less known part of the modern Android ecosystem.