100% - Apple wouldn’t be so stupid as to move the private host keys to an unencrypted partition when the Secure Enclave is _right there_. No way is the Secure Enclave too slow for this - it’s exactly what it’s designed to do!

I misspoke. I meant a partition that is only protected by the machine-level keys.

But then I also realized that it's still likely to be hard to access for the attacker. So I don't really have much issues with that.

They are encrypted with a SEP key when stored in preboot volume.