As someone who uses systemd, "boot security" is pointless. If someone has enough access to your hardware to try booting a different kernel, they have time to load a signed shim that passes secure boot and launches unsigned code.
The only boot security real users need is disk encryption.
There are multiple possible configurations. Only the most basic will permit an arbitrary payload as you describe.
I've never been entirely clear about the security model when the signed shim is permitted. I assume I'm missing some nuance.
Disk encryption alone won't protect you from either persistent malware (remote) or evil maids (local).
> The only boot security real users need is disk encryption.
Which becomes easy to bypass without boot security. If an adversary can modify code that executes in the boot process, they can steal your keys.
> or if they have physical access.
If you're not worried about physical access, then why would you encrypt your disk at all?
> signed shim
How would they sign such a shim without my keys? I don't leave Microsoft keys enrolled on my laptop.
"on a system not configured for boot security, you get no boot security" is indeed correct. If you care about boot security, your local platform doesn't give you the chance to boot custom kernels and not passing secure boot doesn't give you decryption keys.