as others have pointed out, you can use systemd-cryptenroll to add your tpm as a way to unlock the disk at boot, security of this should be fine if secureboot is enabled (for this to work it will need to be anyway) and a password is set for the uefi. See the archwiki entry for setup info (command is as simple as systemd-cryptenroll --tpm2-device=auto /dev/rootdrive
, also the device needs to be encrypted with luks2, no idea if zorin uses that by default but you can convert luks1 to luks2 {backup ur headers first!})
Ubuntu core would work for this. Is this a security critical setup? Otherwise I don’t see why you would go immutable, if you just want a nice base for hosting containers I’d recommend dietpi running something like casaos (or just plain docker). You can set up auto upgrades pretty easily in dietpi!