UEFI's specification itself does not require that secureboot can be disabled. The only requirement that it needs to be possible to disable it is in Microsoft's requirements. I can't reasonably expect their enforcement to be too aggressive considering that they previously (and still, on ARM) required the opposite.
Signed Fedora will run equally well on systems where secure boot can't be disabled. In the discussion on Fedora-devel the people promoting this change seemed to be saying that this was a good thing that Fedora still ran, and that Fedora/Redhat would have no recourse if it were to happen. What we seem to have constructed is a nice little bit of indirection where a couple billion dollar corporations can take away users rights with respect to software they didn't even write and then all earnestly claim "wasn't me". Instead of "non-transferable covenants not to sue" we have "cryptographic keys you can't distribute", but since code is law (or even more powerful) when it comes to the freedom users have over the software it doesn't matter that the restriction is a technical one.
I also gave the argument above that this isn't the quite same as tivoization, even though the same cryptographic lockdown technology is involved. Fedora is adding functionality to the software to make it run on some new hardware and distributing these enhancements under terms that make downstream distributors choose between the enhancement, making their own version of the enhancement (with a minimum cost of $99) and still limiting further downstream users, or going without the enhancement. What Redhat should be doing is distributing their secure boot signing key, so everyone can enjoy the enhancement without paying fees or losing their ability to modify the software— but presumably they have contractual obligations which prohibit this. I argue that since they can't simultaneously keep the software as free to modify and redistribute as they got it, they ought not to distribute the enhancement at all. Or at least thats an argument.
(And instead, they should make a special signed bootloader shim which, if secure boot is enabled, it displays a set of help screens to help users turn it off or add their own keys— this would itself not be the freeest of software, but it would be trivial and the author(s) would obviously agree with that kind of distribution)