Actually, I would love for you to explain to me how Secure Boot alone would protect someone from any of that. If you want to protect files, you need full disk encryption, not Secure Boot.
Or are you seriously expecting a government-level threat actor to bother to:
- Sneak into your home while you're away or asleep;
- Overwrite your bootloader or UEFI with a rootkitted image of the same version so it's impossible to tell;
- Wait for you to boot your computer and enter your disk encryption password, then:
- Use the rootkit to read the decrypted files off your disk?
That's the great thing about fascist governments, is they have no need to be that sneaky. They can just change the laws to make whatever you're doing illegal and jail you until you agree to give up your documents, or simply hit you with a $5 wrench until you tell them the password.
Yeah, but the malware can just wait for a system upgrade where you sign a new boot image and slip itself in then.
It works for Windows because theoretically only Microsoft would have the signing key and it's not just sitting on disk somewhere. But then you're just trusting Microsoft, and also subject to vendor lock-in.