I have great respect for mjg59's work and intelligence but I too think that this might be introducing far more restrictions than can be supported and more than the threat model warrants. The only thing that is checked by UEFI is the shim, correct? Therefore that is the only thing that can be blacklisted, if it can be used to silently compromise an OS on boot, the rest is just our own leveraging of the Secure Boot feature for our own use. Secure Boot offers very limited protection on boot, nothing after boot and nothing in a virtualized environment IIUC. It doesn't protect the kernel from being compromised and it's not intended to, it's not intended to prevent a compromised kernel from suspending/hibernating and resuming either.
If one is looking for more general ways to secure a running system then there are probably other better places to look like LSM modules or grsecurity.