[edg5000]

But without password, anybody can physically access the device and exfiltrate data. That is even easier than regular password protection, where the storage medium would have to be removed or a live OS would have to be booted.

The risk is data leakage. With a TPM and no password, there is no data leakage protection.

[repiret]

Passwordless boot with a TPM means the software can control what secrets it gives out. Yeah, if you boot to a desktop operating system and auto-login as an admin user, that doesn't leave things very secure, but that's not the only scenario.

Consider a server. It can have an encrypted hard drive, boot with the TPM without a password, and run its services. In order to steal data from it, you need to either convince software running on the server to give you that data, or you need to do some sort of advanced hardware attack, like trying to read the contents of DRAM while the computer is running.

There are other use cases too, like kiosks, booting to a guest login, corporate owned laptops issued to employees, allowing low-entropy (but rate limited) authentication after booting, to name a few.