According to the Debian wiki on SecureBoot,
This removes the risk of userland malware potentially enrolling new keys and therefore bypassing the entire point of SB.
So SecureBoot stops users from installing keys without UEFI confirmation (outside of the OS) and verification with a passcode. That makes sense.
However, nothing there ever says to remove the key so root doesn’t have access to it. Does SecureBoot serve any purpose if I keep my private key in a root-accessible file?