Secure boot and OEM bootloader unlock should be able to work with images so you can lock a phone after the upgrade again.
I managed to get a US refubished Pixel 2 somehow with a fuselocked bootloader here in Ireland. I bought it second hand but I've no idea how it got that way. But I'm suck on the Pixel image and I wanted to use it for ROM testing etc.
You can relock the bootloader but it still fails the SafetyNet check since it's not running an "official" OS signed with the manufacturer's keys.
yup it will, but this is where some legislation might help to get certified 3rd party ROM images that will pass. Its a tricky topic though.
This is outside of my area of expertise. I know there are i.e. banking apps that will disable themselves if you're running some unofficial 3rd party Android derivative like LineageOS. Are you saying those apps would work again if you perform some kind of secure boot locking procedure?
It does vary. TWRP/Magisk can enable apps, but its case by case.