How do desktop Linux distros avoid attackers from rolling back the operating system to a vulnerable, but signed version?

This is not an issue specific to Linux, Windows installations can be downgraded as well. As for the mechanism, UEFI devices, alongside key updates, also get revocation list updates.