Read it again. I'm saying your concern of supply chain attacks on secure-boot and TPM are like worrying about the ash on your shirt while your house burns down. It's far easier to pwn a system with pre-boot injections on a system without signatures than one with them. Don't like where the signatures come from? Fine. That doesn't make the system have some mysterious backdoor or do whatever sensational magic someone told you it does.