Technically you can revoke the default root of trust and install your own.

Then manually sign your bootloader.

This feature is available at least in my Gigabyte mainboard, but is not particularly easy to use, which is why bootloaders come pre-signed with a known root of trust. There's nothing stopping the installer from generating the root of trust on the fly, except for the default settings in many machines.

Can also preload measurements for hardware while at it so that nobody swaps a PCIe device for an evil twin.