The capability isn't about thwarting secure boot, but whether its enabled.
Maybe the name could be CAPS_UNSECURED_BOOT, CAPS_ALLOW_UNLOCK, CAPS_DRM_UNLOCKED...?
Btw. Regarding this comment in the article:
"they vary from CAP_DAC_OVERRIDE (able to override file permissions) to CAP_NET_BIND_SERVICE (can bind to a low-numbered TCP port) to CAP_SYS_ADMIN (can do a vast number of highly privileged things)"
IMHO the most annoyingly ambivalent capability is CAP_SYS_PTRACE. Many low level developer tools need it, whether it's question of ptrace() calls (Gdb, strace...) which can modify the attached process *or* just reading process maps & smaps files from proc/ to find out processes real memory usage.
Latter restriction is especially frustrating because memory usage information is something that even normal user may need access to, to find out what process in his/her system is making it to crawl, or to provide information about that to a developer (using some tool suitable for that).