Depends on the vendor for the specifics. In general, they don’t protect against an attacker who has gained persistent privileged access to the machine, only against theft.
Since the key either can’t leave the tpm or is useless without it (some tpms have one key that it can never return, and will generate a new key and return it encrypted with it’s internal key. This means you get protection but don’t need to worry about storage on the chip), the attacker needs to remain undetected on the server as long as they want to use it, which is difficult for anyone less sophisticated than an advanced persistent threat.
The Apple system, to its credit, does a degree of user and application validation to use the keys. Generally good for security, but it makes it so if you want to share a key between users you probably won’t be using the secure enclave.
Most of the trust checks end up being the tpm proving itself to the remote service that’s checking the service. For example, when you use your phones biometrics to log into a website, part of that handshake is the tpm on the phone proving that it’s made by a company to a spec validated by the standards to be secure in the way it’s claiming.
I have never felt so old.
Name, address, and phone number of the account holder used to be published in books that got sent to everyone in the city and also just left lying in boxes that had phones in them if you needed to make a call while you weren’t home, because your phone used to be tied to a physical location.
You also used to have to pay extra to make calls to places far away because it used more phone circuits. And by “far away” I mean roughly 50 miles.
It’s not the biggest thing in the world, privacy wise, since a surprising amount of information is considered public.
If you know an address, it’s pretty much trivial to find the owners name, basic layout of the house, home value, previous owners, utility bill information, tax payments, and so on. I looked up my information and was able to pretty easily get the records for my house, showing I pay my bills on time, when I got my air conditioner replaced and who the contractor who did it was.
As an example, here’s the property record for a parking structure owned by the state of Michigan. I chose a public building accessible by anyone and owned by a government to avoid randomly doxing someone, but it’s really as easy as searching for public records for some county or city and you’ll find something pretty fast.