At this moment, I'm running KIARA GNU/Linux, my own remix of Slax 6.1.2 with virtually all of KDE 3.5.10 ported from Slackware 12.2. (I learned of this story from KNewsticker. Does anybody remember KNewsticker?) (http://www.kiaragnulinux.blogspot.com).
I run the root system from a usb thumbdrive, and I run a simple script (the only kind I know how to write) that mounts the hard drive as /home partition, and nudges me through the steps for recreating a normal user account, creating a new root password, and setting up sudo. It takes about two minues to relogin after a reboot. The root system runs on the thumbdrive, where nothing is ever overwritten by the system, only by me directly. (I've changed the default in the bootloader to "always fresh" mode.) My personal data and configuration files persist on the hard drive.
I call it "live rooting" I do it because, in theory, it adds a solid layer of security (The root system will always spring back into shape after a reboot) and because, in theory, old software needs extra security, as it may be more vulnerable.
As I understand it (and it's always possible that I don't) secure boot won't change that. The Live CD/USB has long been one of Linux's greatest advantages, but it's mostly been used as a "try before you buy" gimmick. Maybe this will be taken as an opportunity to create new Live Media that integrate with the hard drive to combine flexibility and security in a whole new way.
A slax USB has a "modules" directory, where *.tgz files can be added, and are loaded into the system at boot, and an *.iso can be generated for a new CD. Is there any reason why a similar method couldn't be created for *.deb files or *.rpm files? Usually, this is where someone tells me that it's already been done.