How to enable Secure Boot?

Well, yeah, you cant simply enable it and expect %Random Software% to be recognized as secure.
Unlike the hardware manufacturer and m$oft, there is no existing framework or agreement for there to be acceptable keys for %Random Software%. At least not ‘preloaded’.

This is pretty much accurate.

Never was.

Its still in the same state it was always in - you can, but you have to do it yourself.

Almost the same as here, with the exception of some differences like our kernels:
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot

@linux-aarhus has done so I believe