I'm also interested to get to understand this aspect because i'm finding this aspects not well documented.

As far that i understand the VTPM lives in the VCSA in a plaintext.

If this is the case i wonder if there could be the possibility to make it password protected so to avoid to leak it on the possible NAS or remote Backups implemented for example via VEAM.