That assumes the TPM is willing to unseal the drive, so you can use a probe to capture the key as it sends it. Microsoft recommend using TPM+PIN which prevents this as the TPM won't release the key unless you provide the PIN. The PIN can be fairly weak as the TPM prevents brute force.

I'm sure there are still vulnerabilities, but this is the method that governments themselves use for their devices, at least in UK.