Thanks for the quick answers! I don't know much about TPMs, so I'll have to read about software ones to find out about that model.

One of my clients has security audits where even certs result in fights about "secrets on the machine" and having this one level of indirection for host keys may help out, even if a SWTPM doesn't provide much. At least, depending on how the SWTPM presents on the filesystem.