[dathinab]

You always need something to live outside of your main disk encryption.

Now you have the choice to use grub for this or linux itself.

In either case both can be modified to do arbitrary things and corrupt later stages.

To prevent this you use secure boot, and if you want to do it right a custom platform key.

So now you either pack the Linux kernel initramfs etc into a single blob and sign it or do something similar with grub.

In both cases you should have a similar secure system.

But in my experience GRUB's functionalities in this area are not very nice to use and lead to slow boot.

On the other hand directly booting the signed linux blob without a bootloader is fast and smooth, but exposes what is in you initramfs, which normally doesn't matter.