For desktop TPM at least to me they seem a bit of a black box with many past vulnerabilities https://en.wikipedia.org/w/index.php?title=Trusted_Platform_....
I think at cold boot as long as one doesn't store the encryption key in the TPM (external hardware key?) then one should be secure. I am not so sure about post boot however, once the system is already running.
This actually prompted me to research a bit on the scale of the security impact of SMM
https://en.wikipedia.org/wiki/System_Management_Mode
https://doc.coreboot.org/security/smm.html
It seems that coreboot is aware and supposedly for some computers can be implemented to catch calls to SMM (ideally this would prevent the attacker from triggering SMM - if they do it's game over).
I do suspect though that if the system bus is not protected from malicious calls then someone can trigger SMM and have carte blanche to one's computer.
https://www.infoworld.com/article/2167684/hackers-find-a-new...
https://hothardware.com/news/researchers-discover-rootkit-ex...
I don't know what processes Apple / Android use but I suspect ARM chips don't have SMM and that they tie certain functions to their secure enclave. In X86 its backwards, with SMM having control over the TPM (at least in some implementations).
Though some SMM vulnerabilities are patched by now given its history I take X86 security with a grain of salt. I think the potential for a secure platform is there, but I suspect one would want to make their own boards engineered with security in mind to be certain (I hope this happens in the future - it seems to be happening in the server space already).
