It seems to me that the signed bootloader could offer two options:
1) Microsoft Windows (signed)
2) Ubuntu (unsigned).
If the user selects (2) then the unsigned Ubuntu could load a malware infested Windows, but it would be less suspicious to just load a malware infected Ubuntu. Whenever the user attempts to load Windows, they are protected by secure boot as before.
If the goal is instead to protect DRM from the user, then the bootloader should do whatever a "correct" BIOS does when given a self-signed key. That way, if the DRM is broken it can't be blamed on Ubuntu.