Combined with a TPU that wipes keys when secure boot is enabled/disabled gives a pretty secure system, that still allows you to "eject" to an unsigned boot when needed.