Long before UKI was a thing, this kind of attack was prevented by hardcoding into an EFI stub kernel the sha512 hash of a trusted initrd that would verify the cryptographic authenticity of the initrd that did the "heavy lifting" (mounting disks etc).

We have had not just secure boot but had it better on Linux (and other Unix-like) systems for a very long time.