I think I understand why you are offended by this sentence and I’m with you on the benefits of user freedom.

For the first part, yes, technically only the bootloader has to be signed, after that the bootloader is trusted and should do “the right thing”.

What I meant was that manually entering the BIOS after an upgrade of the thing you want to boot into (e.g. grub) is not an option for computers that you can’t easily access physically, especially in large numbers and located somewhere other than your home. IMHO the system is not “silly”, but works well in these scenarios. I agree, that it is not designed to be convenient for end users.

But this breaks automatic updates without entering the BIOS and is just not feasible except for the PC on your desk at home.

As almost always the answer is “it depends”.

From a security perspective you want to make sure that what your system boots is trusted and not tampered with by a third party. If your threat model includes people with physical access or malicious software (root kits) manipulating your operating system, then secure boot can help mitigating if you set it up correctly.

If that’s none of your concern, then you probably shouldn’t bother with it.