Does "security" here mean security from the computer's owner, i.e., Treacherous Computing? If not, then what kinds of security holes are even possible at the point when GRUB is running?
grub consumes a bunch of untrusted material (splash pictures, fonts, filesystems, executables, and more) and parses them. grub's also written in C, which is pretty much the worst case for writing parsers. Someone able to replace any of these with something that triggers a vulnerability in grub is then able to, for instance, take control of your boot process and obtain your disk encryption key or user password or any other secrets you enter.
(I don't want to seem like I'm picking on grub here, it wasn't written with this threat model in mind and it does a lot of things and achieving all of this stuff securely is hard)
Or by anyone with physical access to your system, but also root isn't the same as the kernel - if your boot chain is fully verified then even root can't replace the component asking for your disk encryption key, and can't extract it from the kernel afterwards (assuming a secure kernel)
Can't someone with physical access to my system also pull out the hard drive, edit it however they want, and change Secure Boot settings too? And I don't want there to be anything even root can't do, since then there's stuff I can't do to my own computer.
No, because the secure boot settings are in flash and also the firmware measures the secure boot policy when booting so TPM-backed secrets will be inaccessible if someone modifies the variable store directly.
As a device owner you have the option to recompile your kernel to disable any of the root/kernel barriers - when we designed Shim we did so in a way that ensures that you're always able to disable secure boot. Or you can simply disable secure boot entirely (another feature offered by Shim) at which point the kernel will disable most of those features. But by default the kernel will still, for example, refuse to allow even root to mmap() address regions belonging to hardware - some of those restrictions are down to "This has a high risk of causing accidental data corruption" rather than anything nefarious.
