Should security.tpm2 be enabled by default?

I saw that 20.09 now has security.tpm2.

Should it be enabled by default on system with tpm 2 support?

Are those chips trustworthy like the (Trusted Platform Module) name says?

I think I saw somewhere that we can use tpm for rng and storing keys.

That would require support for detection in nixos-generate-config and given that it not even detects your graphics driver, I find that quite unlikely.

They are as trustworthy as the companies that make them and the governments of the countries of manufacture. For comparison I would say they are as trustworthy as the Intel Management Engine.

Maybe that could be handled by nixos-hardware instead.

Is /dev/random (or urandom I don’t remember which one to use) trust-worthy with an Intel CPU if we don’t trust Intel?