This has been another Intel (they designed it) security issue for some time. The OEM’s (Dell, HP, Lenovo) all run bios/uefi security settings that you can enforce for thunderbolt. It’s hilarious that for once Microsoft comes down on the secure side of this. I firmly believe they only bailed on using it for the Surface line because they didn’t want to pay the licensing fees.
You can run bitlocker @256bit or Apple encryption, but I believe what they are concerned about is being able to intercept it by spoofing an approved hardware address (on the bus), just as your machine could send data freely to another authenticated device over thunderbolt.
I’m sure Intel will issue patched microcode to the OEM’s within a few weeks to address it.
According to the article the problem is in the hardware and no software fix can fix it without a complete redesign of the silicon. Perhaps that’s true, perhaps not.