The root of trust in Secure Boot is typically an OEM certificate, not Microsoft's, which is probably even worse: https://www.binarly.io/blog/pkfail-untrusted-platform-keys-u...

In any case, you're free to remove Microsoft's certificates and enroll your own.