If your attacker has root, and your system allows flashing the BIOS from root (many do), he can simply disable Secure Boot, or enroll one extra signature -- his. If the system doesn't allow flashing a BIOS even if an attacker has root access, then Secure Boot makes no difference whatsoever.
What does the boot rom have to do with the root user of an operating system? How does root help you disable secure boot if there is a password to change UEFI settings for instance?
At the point where you have root you basically won. You can ship user’s data elsewhere. You can install a key logger. You can empty their bank account.
But yes if the OS also let’s you change the boot ROM then you can make your root access semi-permanent.
