In reply to @grahamc:nixos.org
like, I think the nvram is for "I don't have a filesystem yet!" stuff, plus perhaps password attempt counters

this isn't stored in an arbitrary location in nvram, and it isn't on a per-secret basis, but an overal property of the TPM: a counter of failures:

[nix-shell:~]# tpm2 getcap properties-variable > prop-vals.2

[nix-shell:~]# diff prop-vals.1 prop-vals.2
29c29
< TPM2_PT_LOCKOUT_COUNTER: 0x7
---
> TPM2_PT_LOCKOUT_COUNTER: 0x8

Note that the DA lockout counter decrements automatically every TPM_PT_LOCKOUT_INTERVAL seconds, in your case 100s.