TPM 2.0 is a microcontroller that stores keys, passwords, and digital certificates. It has nothing to do with preventing you from getting hacked. It only protects your data when your storage drive is stolen, and that drive is plugged in to another computer. Since your storage drive is encrypted using the encryption keys that managed by your TPM whether it is discrete or firmware based, if it is connected to another device that doesn’t have the TPM with the matching keys to decrypt it, you can’t read the data.
Similar way how BitLocker works. When you turn your PC on, the BitLocker keys that’s stored in the TPM will decrypt the drive and you can use your PC like usual. When you shut your PC down, the TPM encrypts the drive again and your storage is locked. So if your PC is on, and you got hacked, TPM can’t do anything about it, because your drive is in a decrypted state.
If you want a good protection from hackers, or malware, viruses, ransomware. It’s a good idea to invest some money to have a security software install like BitDefender for example. It installs firewalls, ransomware protection, spam, phishing attempts, everything. You are much more likely to be protected using a proper security software installed and running even without having TPM enabled, than you would have if you have TPM enabled but you don’t have any security system installed.
If I had to guess why TPM 2.0 is mandatory for Windows 11, is that they want to have BitLocker encrypt the installation drive as mandatory. It has nothing to do about getting your computer attacked. It’s about keeping the content of your drive safe from unauthorised access.