In particular Microsoft posting this has me wondering: " Windows only uses one PCR bank".
I am also studying the Linux kernel and it uses PCR[9] only for its boot process so far in my study.
My understanding is that the ordering of measurement extensions to a single PCR is necessary for security and, in particular, sealing and then unsealing to get data linked to that PCR. This would mean if some other software program decided to extend a measurement to a PCR that you sealed data in, you would not be able to retrieve it.
Is that right? I am thinking I am missing something since that would make MITM attacks to prevent data access very easy.
If you change the PCR value, then no other software can unseal data that was sealed using the previous PCR value.
You are right, if any software can change the PCR value before your software can unseal its data, it will not be able to do so.
PCR values are often used for measuring the system state and allowing access to data only if the system is in a defined (secure) state. So this is not a big problem, because if a malicious software can change the PCR value you are not in the defined state.
If you want to seal/encrypt data with the TPM independent from the system state there may be better ways.