Nvidia drivers have had way more issues with mobile chips than with desktop. GPU compute workloads (including things like Blender) are very well supported. Nvidia on Linux has dominated the compute market for a long time.

The TPM releases the key to the OS at boot time. Without that, there would be no way for the OS to load (assuming the root FS is encrypted).

The key is bound to PCRs in the TPM, which control under what conditions the key can be released. For example, it can be tied to secure boot, bios settings, etc.

In addition to what others have said, make sure the vents are not full of dust or obstructed.

Aside from the group suggestions, you could also use ACLs. https://wiki.archlinux.org/title/Access_Control_Lists