The channel used to transmit the password to the TPM authenticator is the same secure channel used for communications. Direct interception isn’t possible. They could use a keylogger, but then there are larger security problems if someone has a keylogger on their system.
Also, the TPM is enabled and active during the entirety of the session. Accessing the TPM while the system is offline is not possible. Accessing the TPM while the system is asleep is technically possible, but the channels to get to the TPM on an S3 motherboard are not usually open.
TPM stands for Trusted Platform Module for a reason. It’s intended to act as a non-repudiation and platform authenticity modality. If two-factor authentication is used in your environment (i.e. cert and password), this is just another form of authentication of a platform on a network or system.
A lot can happen in a tenth of a second on a 1 GHz processor.
The user would never notice that the start-up was a bit slow this one time.
Better, do it at a shutdown where winders is installing updates. No one ever knows how long that's going to take!