I\'m currently looking at the possibilities of storing/using secrets keys in an Android application. I\'ve found Nikolay Elenkov\'s blog very helpful regarding this topic and I\
Your analysis of the TEE-based hardware-backed scenario is correct. The private key bits generated in the TEE (which isn't necessarily compliant with the Global Platform specs) never leave the TEE and private key operations are performed inside it.
You're also correct that the handles to the TEE-based keys are stored in Keystore, so it's possible for root to access and use any of them, or to move them around so any app can use them.