The topic I am working on, uses no boot partition and no grub - it is encrypted using luks2 and boots using a signed efistub. The configured swap is encrypted and it is initialized using a random key on every login.
My test systems allows for resetting to setup mode and an option to disable factory key enrollment.
The keys used to sign the efistub, is then enrolled into Secure Boot as the only keys.
Password protecting the firmware will to a great extent lock down the system.
There is no bootloader - so boothing a timeshifted snapshot from grub is not possible.
This topic is about security and is referencing the PoC topic, which proves that it is actually possible to secure boot a Manjaro Linux without a bootloader to possibly compromise the security.
The PoC does make use of btrfs inside the luks2 container and has a proconfigured .snapshot folder.
With some setup you can use btrfs to roll back to a working snapshot.
I think that It would be possible if your motherboard has its own bootloader. You would manually enter many EFISTUBs (one EFISTUB per snapshot) into the motherboard’s UEFI. But it looks complicated.
Grub, Systemd-boot, and Refind are third-party bootloaders, as far as I know.