How about requiring physical interaction? This would resolve the security issues without harming our right to modify our own hardware.
At first, I thought about some kind of "while rebooting, press and hold Scroll Lock to allow the install", but the keyboard is driven by low-level I/O firmware, so that's out.
Then I thought that a physical button would be good, but the scammers could fool Grandma into pushing it "to protect your PC!"
How about a jumper that, while open, does a one-time skip of the UEFI enforcement, and prompts you to sign the new UEFI yourself?
This solution fits the problem -- without unduly interfering with our ownership rights. It's a pain for a newbie to crack the case, but maybe that would be educational, too.