Secure boot works a bit differently to what you think. The purpose of secure boot is to check the cryptographic hash of a binary, and if it's not trusted, then it isn't executed. Beyond this, there are no other protections. If you only sign pieces of code that you trust, and these only execute (privileged) pieces of code that you trust, you can ensure you are protected. So a signed, malicious binary can emulate a SBE environment, then boot the SBE enabled Windows.