Knox doesn't prevent you from modifying the bootloader... Verizon had Samsung protect the bootloader in ways that are totally independent of Knox.
Knox will REFUSE TO RUN if the bootloader has ever been modified, but even THAT was a policy decision forced on Samsung by customers (like large banks) who refused to license Knox unless Samsung did their bidding. Knox was ACTUALLY designed with the assumption that the phone would have two bootloaders... an immutable stage-1 bootloader, and a modifiable stage-2 bootloader. The idea was that Knox would refuse to run if the stage 2 bootloader was modified, but users could still root and use the phone without Knox, then later reflash the phone to an approved/stock ROM using the immutable stage-1 bootloader. Since the stage-1 bootloader is immutable, and by design can never be changed, it can always be used to securely reflash the stage-2 bootloader, which can then reflash the rest of the phone.
It was actually VERIZON that went a step farther & forced Samsung to screw with the stage 1 bootloader to make it harder for end users to get at the stage 2 bootloader. Samsung itself really, truly, genuinely, doesn't give a shit if you reflash the phone to a new ROM. They won't provide tech support for alternate ROMs (some of which are, in fact, quite dysfunctional), but when they get a phone sent in for warranty repairs, the literal FIRST THING THEY DO is connect it to a JTAG programmer, wipe it completely, and reflash it to stock.
On SOME Samsung phones, there's also a partial loophole... if you can find a way to reflash the stage-2 bootloader to TWRP or Clockworkmod AND ensure that the phone never boots into a ROM with Knox while the bootloader is modified, the "Knox Warranty Bit" will never be touched, and you can later reflash it back to a stock rom with stock stage-2 bootloader & Knox will never know the difference.
Knox itself is annoying, but not particularly evil(*). Once you get TWRP or Clockworkmod onto the phone and reflash it to a custom ROM, you'll never see or have to deal with Knox ever again. And just for the record, the infamous "Knox Warranty Fuse" isn't a flag that negates the warranty on the phone ITSELF... it only negates the warranty on the phone's future ability to run Knox. So if you install Cyanogen on your Note 4, then later go to work for a company that requires Knox if you want to use company email from your phone, you can't file a warranty claim for a replacement on the grounds that the phone can no longer run Knox... but you most certainly CAN still file warranty claims on things like a defective USB jack, the touchscreen, etc. That's not to say some low-level CSR might not tell you otherwise, but once you escalate it to a higher-level CSR and say the magic phrase "Magnuson-Moss Warranty Act", they'll give in quickly.
(*)Compared to most mobile device managers used by Enterprise customers, Knox is actually pretty tame... it allows management to blow away the encryption key needed to access company data on the phone if you quit/get fired/etc, but does nothing to screw with other files on the device. Other MDMs are WAY nastier, and give managers the ability to remotely-wipe your ENTIRE PHONE (including YOUR OWN PERSONAL DATA, like photos). Knox isn't *quite* perfect (it limits your ability to access "Secure" data, but does nothing to prevent your company from pushing OTHER apps to your phone that in any other context would be classified as 'malware'), but Knox itself is probably the least-evil MDM out there.