Comment by Cu3PO42

> What prevents Microsoft from mandating removal of enrollment permissions for user keychains and Secure Boot toggle

Theoretically, nothing. But it's worth pointing out that so far they have actually done the opposite. They currently mandate that hardware vendors must allow you to enroll your own keys. There was a somewhat questionable move recently where they introduced a 'more secure by default' branding in which the 3rd party CA (used e.g. go sign shim for Linux) is disabled by default, but again, they mandated there must be an easy toggle to enable it. I don't begrudge them to much for it, because there have been multiple instances of SB bypass via 3rd party signed binaries.

All of this is to say: this is not a scenario I'm worried about today. Of course this may change down the line.