The principal difference is the native speed of raw IO - NVmEs are an order of magnitude faster than SSDs. TC/VC don't use hardware acceleration, so all the encryption work falls on the CPU. On a machine with a reasonably modern CPU, TC/VC run nearly at drive's native speed.
No, that's wrong. VeraCrypt uses AES-NI when available. It seems the source of the issue is the IO design of the driver, which causes unnecessary context switches when operating on a raw device.
You can also explicitly disable the AES-NI in Veracrypt and use pure software implementation if you don't trust the hardware. I usually enable this option.
You could probably imagine the possibility of state actors and Intel, for example, conspiring to backdoor AES instructions of specific targets. Maybe possible with the IME. Not accusing them of this, but it's not out of the realm of possibility. The only things using the AES instructions are important data needing to be encrypted.
On the other hand, trying to backdoor XOR would give you an astronomically higher amount of white noise. Finding important data mixed in with all the other things a computer XORs would be much harder.
The CPU would "just" need to look at all executable pages to find binaries of common AES implementations, and when it finds one it could wait for the key to be loaded and then exfiltrate it. It could also detect (although at greater effort, possibly much greater) when you're using it to compile AES and inject spying code into the output, even if the target is a different architecture.
If the attacker has access to your computer, you've already lost. If the attacker built your computer, it was never even a fight.
The principal difference is the native speed of raw IO - NVmEs are an order of magnitude faster than SSDs. TC/VC don't use hardware acceleration, so all the encryption work falls on the CPU. On a machine with a reasonably modern CPU, TC/VC run nearly at drive's native speed.