But you aren't booting an arbitrary kernel, a cold boot will get you a verified kernel image and modules off disk. As far as the kernel being modified after boot, that's outside the scope of this protection and annother matter entirely. I've worked in security for much of my career, one of the hardest things is knowing when enough is enough, when adding more protections, restrictions and security is counter productive. I think that's the case here.
If we want to work on other kernel security measures then I don't think it should be in the context of Secure Boot as that has been pushed as far as it will go and will take a few years of operational use to cool down. You can start a new project to help prevent unauthorized entry into the kernel, making kexec do signature checking maybe, but you can't _fundamentally_ prevent code from being loaded into the kernel after users pace is started, there are too many holes for that. The kernel team does their level best to plug holes as fast as they can and that's what we have to rely on for now.