I agree with you that it’d be nice if the cuts were a little shallower and allowed for an encrypted boot partition, but you could still have the system reasonably secure by encrypting the data partitions and signing the entire boot process to detect and abort decryption if the boot partition doesn’t match signatures. You already have to do this with the efi partition if you’re particularly paranoid about that attack vector, so this really isn’t a new one.
The simpler the arbitrary string/blob parsing logic the less this happens
https://app.opencve.io/cve/?product=grub2&vendor=gnu
I agree with you that it’d be nice if the cuts were a little shallower and allowed for an encrypted boot partition, but you could still have the system reasonably secure by encrypting the data partitions and signing the entire boot process to detect and abort decryption if the boot partition doesn’t match signatures. You already have to do this with the efi partition if you’re particularly paranoid about that attack vector, so this really isn’t a new one.