Yep. But that’s also true for, say, Manjaro’s grub efi located on $esp without encryption and Secure Boot signature. So anyone who has so-called “full disk encryption” is not that safe as he/she might think, and this brings us to the conclusion that such encryption is useless without bootloader and/or boot files being signed with a SB key in the first place.
This is why I mentioned “unified” images. It is a solution that makes sense to full disk encryption (with /boot files encrypted). It also prevents from attacker’s fiddling with cmdline options.
do people here seriously not read anything at all? I explained it like 30 times now that this is already how Manjaro works if you select nonfree drivers. What would the point of installing nvidia drivers on non NVIDIA hardware be? In this case you were actually on my side of the argument.
Now we are once again expecting people to know when to use proprietary drivers. We already know a lot of new users have no idea under which conditions proprietary drivers are necessary. (NVIDIA is the ONLY nonfree config)