This is quite a short list, maybe someone's agent can help expand it

What does that have to do with solving the problem?

Until they require fTPMs, an attacker can just choose to use a regular TPM.

A more sophisticated attacker could plausibly extract key material from the TPM itself via sidechannels, and sign their own attestations.

This got me wondering how easy it'd be to automate discovery of BYOVD vulns with LLMs (both offensively and defensively)