Yep. But that’s also true for, say, Manjaro’s grub efi located on $esp without encryption and Secure Boot signature. So anyone who has so-called “full disk encryption” is not that safe as he/she might think, and this brings us to the conclusion that such encryption is useless without bootloader and/or boot files being signed with a SB key in the first place.
This is why I mentioned “unified” images. It is a solution that makes sense to full disk encryption (with /boot files encrypted). It also prevents from attacker’s fiddling with cmdline options.