TrustCB defines — and protects materials according to — three levels of confidentiality, as described here:

Levels of Confidentiality
Public Public information is already in the public domain. Confidentiality of this information does not need to be protected by TrustCB. We do, however, pay attention to the active publication of such information. In particular, information that previously was secret should not be published if it has become public without permission from its owner. Typically treated as Public: Scheme procedures, published certificates, and associated documents (such as Security Targets).
Sensitive/Confidential Sensitive/Confidential information should not be made public. Protection against that occurring is achieved by means such as online services, which have a reasonable expectation of protection against accidental disclosure or intentional breach by an attacker with low attack potential. Examples of such services are Dropbox, and Apple iCloud services, (unencrypted) e-mail such as the content of e-mail accounts, and Google Cloud services such as Calendar and Drive. Typically treated as Sensitive/Confidential: Certification Identifier and product (code)names prior to publication of the certificate, procedural and progress updates, calendar entries, non-secret questions and discussions, applications/offers/purchase orders/invoices, information disclosed about customer and related products not already in the public domain, and internal TrustCB procedures.
Secret Information shall be labelled Secret if disclosure could result in serious harm to reputation, access to high-value assets, or a destabilising financial impact to an organisation. Secret information must be available only in plain text form on permanently-offline systems. All Secret information must be decrypted/encrypted on these permanently-offline systems with sufficiently-strong encryption. The decryption key shall be available only on these permanently-offline systems, and protected with a strong passphrase. PGP/GPG with at least 4096-bit RSA keys shall be used at the TrustCB side. The PGP/GPG keys of other, non-TrustCB, side should be at least 2048 bits. All permanently-offline systems shall use full disk encryption and encrypted containers to protect data at rest and isolate client data. Microsoft BitLocker, MacOS FileVault, PGPDisk or TrueCrypt/VeraCrypt shall be used with a strong passphrase.