It increases security in certain circumstances. Mostly for Windows users at big corporations.

For example, you want your users' laptop hard drives to be encrypted - but also you have users who regularly forget their passwords? With bitlocker their hard drive can decrypt itself, so they only need to remember their windows login, which you can reset remotely.

You give laptops to your field workers, who have full physical access and would love to play video games or access netflix when work puts them in a hotel over night with nothing to do? With secure boot you can keep your precious spreadsheets locked down, even if they're willing to boot from USB sticks or swap the hard drive.

And perhaps most importantly, it has "secure" in the name. So the corporation's IT security auditors will like to see it turned on even if they have only a vague understanding of what it does.

Maybe you are too young for this but viruses modifying boot partitions was a big thing back then. It is simply impossible to inject some code without finding an exploit in UEFI with Secure Boot or somehow exploiting the kernel. It is still possible to do this kind of hack but it is 2 orders of magnitude harder.

Linux distributions have been shipping with secure boot support since 2012, so if that was the goal it had already failed over a decade ago.

SecureBoot and UEFI were "bundled" with Windows 8.0 PC's to curtail the possibility of users easily installing Windows 7 instead.

Earlier versions of Windows were a much bigger threat to adoption of Windows 8 than Linux was.

Yes, it does, for some values of security. Operated correctly it allows you to know you can trust everything on your system from the UEFI firmware down, because if any part of that chain didn't match what you were expecting to be there the next step in the chain would refuse to execute.

Most people experience this via Windows, which automatically sets up that chain of trust so that you can know you've not had a rootkit injected somewhere. In other cases it may be Linux or something more exotic booting, and it requires some management by whoever is operating the device, but that comes with the benefit of knowing that if one of our devices has got to the point of decrypting it's storage we can be reasonably confident that it hasn't been tampered with, and so we can trust it to send good data.

Is secure boot even enabled by default?

I have never used it on my gaming PC and Windows doesn't seem to care.