An
evil maid attack uses physical access to an unattended device — installing a keylogger, replacing firmware, or compromising the bootloader to steal encryption keys.
BitLocker + startup PIN defeats this — the PIN must be entered before the TPM releases the encryption key. TPM alone (without PIN) is vulnerable — the TPM auto-releases the key on boot. Physical security + pre-boot PIN = defense.