* Unless you get an Evil Maid attack [0], like adding a physical keylogger to the keyboard bus.
If the device is decrypted but on lock screen (like with TPM) there are more options, the main one is reading memory via DMA [1] on an ExpressCard slot (eg the wifi card). Also swapping out the memory to do a cold boot attack [2] is possible.
Actually, attacks using Thunderbolt PCIe capabilities are too much realistic that it is no longer funny (and it is not just a security bug, its a real feature).
If the device is decrypted but on lock screen (like with TPM) there are more options, the main one is reading memory via DMA [1] on an ExpressCard slot (eg the wifi card). Also swapping out the memory to do a cold boot attack [2] is possible.
[0] https://en.wikipedia.org/wiki/Evil_maid_attack
[1] https://github.com/ufrisk/pcileech
[2] https://en.wikipedia.org/wiki/Cold_boot_attack