Can't someone with physical access to my system also pull out the hard drive, edit it however they want, and change Secure Boot settings too? And I don't want there to be anything even root can't do, since then there's stuff I can't do to my own computer.
No, because the secure boot settings are in flash and also the firmware measures the secure boot policy when booting so TPM-backed secrets will be inaccessible if someone modifies the variable store directly.
As a device owner you have the option to recompile your kernel to disable any of the root/kernel barriers - when we designed Shim we did so in a way that ensures that you're always able to disable secure boot. Or you can simply disable secure boot entirely (another feature offered by Shim) at which point the kernel will disable most of those features. But by default the kernel will still, for example, refuse to allow even root to mmap() address regions belonging to hardware - some of those restrictions are down to "This has a high risk of causing accidental data corruption" rather than anything nefarious.
