The white paper addresses this - the UEFI CA is not included in the secure enclave's trust store. This is intentional - the UEFI CA is used to sign bootloaders that don't perform chain-of-trust validation, meaning that if the secure enclave trusted the UEFI CA by default, then secure boot could be pretty trivially bypassed.
Sure, they could make things more secure by allowing you to add your own keys. You could go ahead and add the public key for your secure bootloader that does chain-of-trust validation, but the "typical scenario" would be a user adding a generic UEFI CA that leaves them open to a modified or malicious OS.
Sure, they could make things more secure by allowing you to add your own keys. You could go ahead and add the public key for your secure bootloader that does chain-of-trust validation, but the "typical scenario" would be a user adding a generic UEFI CA that leaves them open to a modified or malicious OS.