I'm also interested to get to understand this aspect because i'm finding this aspects not well documented.
As far that i understand the VTPM lives in the VCSA in a plaintext.
If this is the case i wonder if there could be the possibility to make it password protected so to avoid to leak it on the possible NAS or remote Backups implemented for example via VEAM.