Your computer generate a random key using (hopefully) a trusted PRNG with good enough sources. This key is then used to encrypt your data. This key is stored in your computer’s TPM module, and provided to the OS only if the chip approves all the checks in places. In addition, you get that key displayed to you, so you can write it down (or alternatively save the key file somewhere of your convenience). This is relatively good as far as security goes (unless the TPM is broken, which can happen).

And then, unless you jumped through hoops to disable it, your PC sends the key to Microsoft so they can just keep it linked to your account. That’s the part that sucks, because then, they have the key, can unlock your drive on your behalf, and have to produce it if asked by a judge or something.

Note that there are relatively safe way to protect these keys even if they are backed up in “the cloud”, by encrypting them beforehand using your actual password. It’s not absolutely perfect, but can make it very hard/costly/impossible to retrieve, depending on the resources of the attacker/government agency. But MS didn’t chose this way. I don’t know if it’s because of sheer incompetence, inattention, or because this feature is claimed to be here to “help” people that lose their key, and as such are likely to lose their password too, but it is what it is.