I wonder if Microsoft has given any thought to malware, viruses, etc?
Certainly secure boot will make sure that the kernel and anything that can access the hardware has not been rewritten in an unauthorized way. However, I expect that there will still be plenty of mischief that can be initiated at higher levels, including exploits of bugs in the O/S to make it impossible for the active system to detect that it has itself been interfered with.
The best anti-virus scan is offline. Boot a scanner off a read-only medium, scan using an operating system thereon which is immune to whatever is on the hard disk being scanned because it executes nothing from this source. An approach which Microsoft has decided to render impossible on ARM devices. Hmmm. Good news for no-one, except possibly Intel!