Well, try running a kernel or bootloader not signed by Microsoft on new Restricted^WSecure Boot systems. The requirement for the user's ability to disable Restricted Boot on x86 has recently mysteriously disappeared, wanna guess what's coming next?
Another thing: Windows bootloaders are signed with a key named "Microsoft Windows Production PCA". There's a different signing key, "Microsoft Corporation UEFI CA" that OEMs merely "should consider" including. Guess which one keys of distributions who begged to have their keys signed are signed with?
And once you boot one of such kernels in Secure Boot mode, you can't insert unsigned modules, kexec unsigned kernels or access (even as root) a number of facilities that could let you gain control over your own machine.
. These kernels work normally when booted without Secure Boot.