[simiones]

Secure Boot ensures that it's impossible to run a rootkit, even if the user accidentally installs one. Instead of booting into corrupted Windows, the system would fail to boot.

[mjg59]

The switch doesn't disable secure boot, it merely allows files signed using the Microsoft 3rd Party UEFI CA to boot.

(Context: I wrote a significant portion of the infrastructure used to support Linux booting on systems with UEFI Secure Boot)

[zinekeller]

It's definitely harder, but not impossible. The Realtek signing driver was stolen multiple times already, and I personally know that certificate management practices (in Asia in general) is abysmal.

[Avamander]

This current scenario is very likely Device Guard that limits the CA's that may be used, that it's not Secure Boot with its defaults.

So the security benefit would be avoiding 3rd party and signed, but potentially vulnerable "bootloaders"