Hey Pauly,
Drop any consideration of Windows 10 sign-in password vs. PIN. They are not related to the drive encryption concerns. Even if you set up PIN sign in for Windows, you can still use your password to sign in instead.
All computer security is a balance of security vs convenience. TPM only BitLocker makes your data more secure than it was before, but less secure than TPM+PIN. Inputing a 6+ digit PIN during bootup is a pretty minor inconvenience for the additional security it provides.
Think through the logical process of what your computer needs to access in order to boot Windows.
The system can't access an encrypted volume that hasn't been unlocked yet. The UEFI bootloader lives on a separate, hidden (no drive letter, visible in disk tools)partition on the system drive. This partition doesn't get encrypted, but also doesn't store your personal data.
Your system starts up, reads the boot config from the firmware/BIOS, then attempts to read the UEFI partition on the system drive. This fires the Windows bootloader. If you're set to TPM unlock, the system reaches out to the TPM requesting the cert to unlock. If this is present, the drive unlocks and the system continues booting to Windows. If it is absent (drive moved to another machine, TPM reset, certain other config changes) it prompts for the recovery key (which is quite long and difficult to brute force crack). If you supply the recovery key, the drive unlocks and the system can boot. If not, the BitLocker UI times out and the system reboots. Data not exposed.
Now if you add the BitLocker PIN in addition to TPM protector, the system will start the Windows boot loader, check for TPM cert, then launch a UI to prompt the user to input the BitLocker PIN. This second factor hits the security model of something that you have (TPM) + something that you know (BL PIN). After entering your BL PIN, the drive unlocks, the system boots and you go to the Windows sign in screen and enter your password(or Hello PIN if configured, again, this is completely separate from BL PIN and should be a different number).
Your backup can be set up for encryption in different ways than your OS drive.
You can enable BitLocker on the backup drive also, please be sure to backup and safely but securely store the recovery drive for this volume as well. This will be a different recovery key than your OS drive.
Alternatively, you can enable encryption of the backup file in the backup program you use. I currently use Macrium Reflect. You can set a password and set the desired encryption strength when setting up the backup config. Encryption support does require a paid version of the software. The higher the encryption strength you set, the more CPU will be required for encrypting/decrypting the backup when creating or reading it. This option only encrypts the backup file and does not protect any other files you copy to the drive.
BIOS/Firmware password: This is mostly unrelated to drive encryption and protection of data at rest. You can set one to make it more difficult to change the boot order of the machine to boot from USB or other drive. I may be wrong on modern machines, but in the past BIOS passwords could pretty trivially be removed by removing the CMOS battery or setting the BIOS clear jumper.
If you have BitLocker TPM+PIN configured, clearing the BIOS PW and booting to USB drive will not unlock your drive without inputting the BitLocker PIN or recovery key. See links below for accessing BitLocker volume in Linux. You still have to provide the recovery key to access the data.
https://www.m3datarecovery.com/bitlo...ive-linux.html