Running sensitive data on untrusted machines (like the clould) is simply not possible. There are many attacks on systems that claim to achieve this.
No one should trust that a TPM can keep keys safe from a serious adversary with physical and remote access.
TREZOR is not really comparable to this. TREZOR would be useful if Linux were ever modified to function with encrypted RAM support and move the LUKS key to the CPU register. I think this will be the only serious way to protect encryption keys on machines with NVRAM in the future for people who don’t trust TPMs to protect them - and they shouldn’t.