I guess the point is: delegate to kernel, then “oh, people with root can bypass with modules? Secure Boot!”