even if a keychain was somehow secure and restricted access to that program only, you are only a memory dump away from getting the key
and since it’s same user that can be done with no privileges
it should be viewed as a way to delegate encryption at rest of secrets to the OS, nothing else
but you really should just do FDE
also bitlocker can kindly eat shit because it is set up with TPM dependance by default
so if you even dare to boot a linux ISO with secure boot on, that will cause a change to the EFI keys list to add your distribution key and change the PCRs, therefore invalidating the TPM key and make bitlocker ask you for the recovery key stored on your MS account you were never told about
