It prevents malware that obtained root access once from forever replacing your kernel/initrd and achieving persistence that way.

Unless that malware is able to activate the secure boot feature on a system where it is not enabled, in which case it permanently prevents me from removing the malware.