a genuinely ignorant question: if TPM 2.0 is used to store decryption keys for e.g. BitLocker, what good does this do against malefactors if my machine is powered on and running and I am logged in and authenticated?

I can see it being useful for a powered-down laptop, but isn't it far more likely that your running computer gets hit by malware?

i.e. isn't it far more likely your bank gets hacked instead of some scofflaw rifling through your trash to find un-shredded financial documents?