And the OEMs provide a switch to turn it off.
That's not true any more. That's the news. People will install Linux on their laptops, find out that hibernation isn't working because of the so-called Secure Boot restrictions, get angry, and just give up Linux and go back to Windows and its world of post-boot malware.
That is the OEMs choice, just like is their choice whether to even give you access to the BIOS.
Impossible, no machine could ever be sold without the capability to boot from an external device, as this would prevent installing Microsoft Windows on it.
We've seen the same thing with default BIOS passwords before too, the hysterical idiots crying "what if the OEMs dont tell us the passwords?!".
Actually, what we have seen is that people saw the so-called Secure Boot as the unuseful and harmful thing that it is, and a limited number of Microsoft supporters labeled them as hysterical idiots pointing at the fact that it could always be disabled. Well, now it's no longer true, as widely expected by the hysterical idiots.
Blaming Microsoft when the onus is on the OEM is obvious stupidity or intentional malicious misdirection.
Leaving aside the fact that "leaving the onus on the OEM" already is an anti-competitive, anti-consumer and anti-free software behaviour, since you are less malicious than me, can you give a non-malicious explanation about why the requirement of being able to disable the so-called Secure Boot is being lifted now? What problem are MS trying to solve? The rising wave of hypno-malware that induces users to enter the firmware setup utility on their machines and disable boot restrictions?