It's fine providing the end-user is able to enrol their own keys - the original signing keys are then not required to replace grub, so there's no need to give them to anyone. Microsoft require that all Winodows-certified systems provide that functionality, so any off the shelf firmware is going to implement it - vendors would have to actively remove the functionality in order to have a problem. The contract with Canonical should simply state that it's the vendor's responsibility to provide this feature in order to comply with the software licenses.
If vendors *want* to ship systems without supporting re-enrolment of keys then yes, there's an obvious problem. But given Mark Shuttleworth's voiced concerns about user freedoms with secure boot, I'd be surprised if Canonical wanted to support that.