Which is a pretty big security threat that is constantly ignored. It just isn't acknowledged when people talk positively about TPM even if remote attestation is completely build-in by now. Security for whom becomes the question here.