Common misconceptions you bring up there. They aren't unwarranted, but there are controls that mitigate it. Opening the case: Business laptops have the option to clear the TPM whenever the case is opened or the BIOS battery goes flat, by the same mechanism. Unless you know exactly where the TPM is located on the mainboard for this specific device AND carefully drill a hole in it - without getting any metal flake inside that could short a circuit and destroy the thing - you COULD extract the keys the TPM is sending to the CPU. This attack has been demonstrated publicly, so it is difficult, but not impossible, especially with common hardware or rich attackers. That's why on modern CPUs, there's another option: a firmware TPM, embedded in the CPU itself. No one is going to a) open the case without triggering the case open switch AND b) remove the CPU itself (which often is soldered to the mainboard nowadays) AND c) keeping the BIOS battery voltage applied to the correct pins on the CPU while doing so, because otherwise (because it'll clear the embedded TPM as soon as that voltage drops) AND d) remove the lid and the silicon material from the flip-chip mounted die itself to get to that 1x1mm area on it where the firmware TPM is located and read that out with an electron microscope. Attackers will not spend such an amount of money on that as it is very expensive even for large and proper intelligence agencies with no guarantees of it even working. If the TPM clear is triggered by something, Windows will reset the PIN and face unlock data and you need to log in with the password and / or the MFA method of your choice. Therefore, the PIN (and the Bitlocker key, stored in the same manner) are probably safer than the password + MFA method of recovering it and therefore, add convenience, but don't subtract security - unless the user chooses birthday or 000000 as their pin.

How long should pin be. Can you use pin with credit cards when shopping?

Need simple answer are pins … can I use pin to get cash ?