a hard drive is a huge source of attack vector. In particular if you're running full disk encryption with a very tiny unencrypted ext2 boot/grub2 partition, malicious firmware on a disk can intercept the plaintext keystrokes for a passphrase-unlock on FDE. This is a known intelligence agency attack vector.
This specific platform has all of the tpm module feature set disabled, no? Since the code running inside the tpm is proprietary and closed. To the best of my knowledge super gpl zealot users rarely choose to store a key in the tpm for full disk encryption unlocking purposes.
https://theintercept.com/2015/04/27/encrypting-laptop-like-m...
see the "attacks against disk encryption" section.