Just like with HTTPS, you can enrol your own keys in the TPM module, or sign your binaries with a key thats already trusted by your system.

This is just establishing chain of trust, and does not prevent you from doing anything on your system.

True, this could be hypothetically extended to disallow booting third party binaries, but I would say that's just extrapolation for now and not reality.