You don't even need a developer mode. I was looking into making my own image based distro/system which has its bootchain entirely verified and I intend to make any modifications via system extentions[1], which IIRC also get measured aswell (or was at least planned somewhere). To be fair, this is purely additive or overlaying, so no removing of files, at best changing. This all would be signed using Secure boot and after the fact using dm-verity.

Secure Boot in theory isn't even necessary, only TPM2. Secure boot only ensure that you are actually booting into a binary that you expect to boot in this case, so if your binary is actually different it would result in different PCR values in the TPM indicating something is wrong.

Sadly a lot of end user software (flatpak, ...) isn't packaged & signed in a way which would allow for full "only run software I allow by importing public keys" (read Linux IPE[2]), but what can you do, only your best I suppose...

[1]: https://www.freedesktop.org/software/systemd/man/systemd-sys...

[2]: https://docs.kernel.org/admin-guide/LSM/ipe.html