Hey Raj
If you follow the guide I linked earlier that one goes through the entire setup including full disk encryption with LUKS2, auto-unlock with TPM, automatic self signing for secure boot, etc.
Depending on how you set up the TPM pcrs you can get different behaviour but the point is generally that it should not unlock with a live USB, that would make it almost useless.
I haven’t done any UEFI firmware updates since my setup but I can imagine I would need to unlock with the password if that happens and if the PCR for the firmware is added, and then perhaps re-enroll with the same command. So far I never had to unlock with the password after the initial setup.