Fully agreed on attested bootchains. General-purpose level OS-wide attestation is indeed a blight on open computing: It's ineffective because it implies a gigantic trusted code base (what are the odds that the entire Windows kernel is completely free of vulnerabilities?), and conversely it does tie you to somebody else's more or less arbitrary kernel build.
Almost complete disagree on TPMs. A better comparison than a spy would probably be a consulate (ok, maybe an idealized one, located underground in a Faraday cage): Their staff doesn't get to spy on you, but if you ever do want to do business with companies in that country and need some letters notarized/certified, walking into their consulate in your capital sure beats sending trustworthy couriers around the world every single time.
To torture that analogy some more: Sure, the guest country could try to extend the consulate into a spy base if you're not careful, and some suspicion is very well warranted, but that possibility is not intrinsic to its function, only to its implementation.
By that same logic evil is not inherent to attested bootchains either. When used to verify that the computer loaded the OS that the end user expected it is a very powerful security tool. It is only bad when the keys aren't under the control of the device owner.
You're mixing up the authentication and attestation parts of secure boot here.
You can absolutely install Linux, run secure boot (e.g. to protect you against "evil maid attack"), use your TPM to store your SSH keys, and live a happy and attestation-free life.
You can also do other things, but if you don't want to, why would you?
Attested boot chains aren't normally being used to attest a whole general purpose OS. They attest up to a small hypervisor that allows partitioned worlds to be created and chain attested, and then sensitive computations are done inside that.
Almost complete disagree on TPMs. A better comparison than a spy would probably be a consulate (ok, maybe an idealized one, located underground in a Faraday cage): Their staff doesn't get to spy on you, but if you ever do want to do business with companies in that country and need some letters notarized/certified, walking into their consulate in your capital sure beats sending trustworthy couriers around the world every single time.
To torture that analogy some more: Sure, the guest country could try to extend the consulate into a spy base if you're not careful, and some suspicion is very well warranted, but that possibility is not intrinsic to its function, only to its implementation.