[layer8]

Keys are stored securely in a TPM in the sense that a random program has no access to it. They are not stored safely there in the sense that they couldn’t possibly get destroyed. TPM hardware, or the motherboard that hosts it, occasionally fails. Or you might want to migrate your physical hard drive to a different PC. That’s the purpose of backing up the keys to the cloud. Alternatively, you can write down a recovery key and put it in your safe. Personally, I put it in my password vault that also happens to be backed up to the cloud (though not Microsoft’s).

[direwolf20]

There's also no security in the communication between the CPU and the TPM, so you can plug in a chip that intercepts it and copies all the keys, or plug the TPM into a chip that pretends to be the CPU and derives identical keys.

[vel0city]

The TPM on most computers these days is a sectioned off part of the CPU that only talks through channels on the package/die (fTPM). Good luck plugging something in on that.