Eh I don’t entirely agree. Like I said, it can be done correctly. And when it’s done correctly, it is as secure as the TPM2 itself is. So yes, if a thief is able to compromise the TPM2, then the purpose is defeated. But the point is that this is a significantly difficult barrier. You need to have an active exploit against the TPM2, or something like an electron microscope to extract its secrets. These things are indeed possible (there have been many TPM2 exploits in the past), but again the point is that it is a strong barrier, not a perfect one.
Regardless, even if you don’t want to risk auto-unlocking, the TPM2 is still quite valuable. Binding your LUKS volume to the TPM2 with a pin provides at least the same security as a regular passphrase while also informing you if the secure boot state isn’t as it should be since the pin will fail in that case. Not to mention strengthening the passphrase with the TPM2’s dictionary attack lockout mode, which helps to prevent brute forcing.