The concept behind "secure boot" is simply that a rogue night-operator can't easily reboot your hardware with nothing more than a USB-stick of his own making. But UEFI
also assumes that the rogue night-op can't reach the firmware settings either.
In reality, the firmware of most systems
has been reverse-engineered to the point where the settings necessary to disable (and then, re-enable) UEFI are well known, and the switch can be flipped
(so to speak) without ever touching the firmware screens.
But it was such a nice idea . . .