Exactly, Apple is making this a black and white choice on purpose. To make it unattractive to bypass them, and introduce legitimate security concerns if you do so. But those don't have to exist if the options were more fine-grained.

The same with SIP (system integrity protection). You can turn it off but then you have to turn it all off.

There's no way to keep secure boot but bless your own changes and sign them in some way, that you have approved. You know, as the owner and admin of your own computer. It's either leave it to Apple or be completely on your own. And to make the choice even more uncomfortable they also disable some features like running iOS apps.

I think you should read up on how secure boot works with macOS and alternate operating systems before speaking this negatively about the implementation. Apple is already giving you exactly what you’re asking for.

It’s not really even that different than a PC motherboard that gives you “Windows UEFI” and “enroll my own keys” as options.

https://asahilinux.org/docs/platform/security/

As far as code signing, again, what do you want Apple to do here? They already gave you a master switch to turn it off. You are free to turn it off then implement your own third party code signing solution if you’d rather choose who you trust. It’s not Apple’s fault if nobody else decided to make their own trust repositories and the only alternative on the market is to have no safeguard at all.

And let’s not forget who Apple markets their computers to. These features aren’t for you and me, they’re for the non-technical customers who will absolutely get pwned by unsigned code. Go to the MacBook Neo marketing page and try to find a single image of someone writing code or even being gainfully employed.