There is an answered question which asks about the specifics and the answers are technical. I am looking for a conceptual answer in a ELI5 manner.
A TPM is a hardware chip which stores critical keys. I.e. instead of keeping your private key as a file in .ssh/id_rsa
it is placed within a TPM.
This way the content of the private key is never exposed, neither as a file nor in the RAM of the computer. It would be available in the computer RAM if the ssh was doing the decryption.
Instead, SSH will use the API provided by the TPM and say something like
Hey TPM, can you encrypt/decrypt this data without me ever touching the key?
How does a TPM know that it's ok to provide these encryption/decription services to an application (in this case SSH)?