Single-user mode is clearly not what is happening with root. It's not like any app just can elevate to root, there's always a request requiring authorization, just like account elevation on windows and sudo on Linux. This is not idiot-proof, but if you view your users as idiots, that's telling... About the bootloader: root does not require secure boot off, if (!) root is built into the rom in the first place. In this case it still protects against many attacks. FS encryption protects against many of the remaining attacks.
Lineageos does not offer root anyway, so that cannot be the reason it doesn't have secure boot. Its probably just that they do not have that focus on pixel, and other bootloaders don't support relocking security for custom roms.
