Secure boot isn’t mandatory, and if you want secure boot you don’t have to use Microsoft’s keys, you can enroll your own. Lanzaboote for NixOS for example doesn’t use shim - https://github.com/nix-community/lanzaboote .
Sometimes certain product lines act like they consider customers on rare occasion...
But most manufacturers try to lock the firmware down, and users only get a small subset of configuration menus. For example, the Gigabyte rtx based laptops require patching a machine specific bios to even gain access to the oem firmware areas.
Mostly the modern builds just created a bunch a problems nobody wanted, and didn't improve anything as Asus, Gigabyte, and Razer recently showed.
If you are running signed code on many machines. YMMV... Raspberry Pi avoided the signed code features built into most Broadcom ARM chips for good reasons. =3
GTFO, as you re-key your installations this fall with Microsoft's permission. =3