Just like with HTTPS, you can enrol your own keys in the TPM module, or sign your binaries with a key thats already trusted by your system.

This is just establishing chain of trust, and does not prevent you from doing anything on your system.

True, this could be hypothetically extended to disallow booting third party binaries, but I would say that's just extrapolation for now and not reality.

under the doctrine that software "trust" is needed YOU are the attacker. It's entirely about stripping your control (thus ownership) from the hardware you paid for (see the safetynet shitshow).