You don't replace the bootloader. You replace the first unsigned thing that runs— in the solution described for Fedora this would be systemd. Systemd would then execute the kernel exploit and intercept IO from the update process in order to make updates invisibly fail.
You only get the benefit if you sign and lock down 100% of the software which will run before updates are applied from the network. Perhaps thats viable on windows, though I'm doubtful. Regardless, what's suggested for Fedora would not have that property.