You can cast doubt on TPM/SecureBoot implementations with evidence, but it very much is real security controlled by the user with mokutil. We need more of this kind of security, that's controller by the user, if we're ever going to get away from locked bootloaders.
They give you the keys now. They could change that overnight if they mandate the same "Secure Boot only with a Microsoft key" that they mandated on early ARM devices. Don't be mistaken. They are very much the Don of x86, and when they choose to alter the deal, you'll be SOL.
That's why I consider alternative ecosystems (that don't have exorbitant prices) like RISC-V and Raspberry Pi to be critical to the survival of general-purpose computing. Once your ability to run on bare metal disappears (via Secure Boot or otherwise), you're in grave danger of simply not having physical hardware to convert new users.
I hope the regulations being discussed right now[1] pass and we can just call SecureBoot what it is instead of fearing what it might become (atleast on x86).
