Linux

Having read up a bit more on mokutil, seems that it doesnt enroll the key by itself, but gets the uefi firmware to prompt the user to add the key at next boot. Which in theory gets around the malware risk, although given how many people auto-click accept, maybe not.

They already thought of that. You don't just hit accept, you then have to type out a password that you set when you run mokutil. So if malware runs it instead, the user just won't know the password at all.

They then get that signed by the MS key, which would allow that image to boot and setup the key without ever disabling secureboot. You wouldnt need to have a trusted PC either, as if the binary was tampered, it wouldn't boot.

Yes, that's exactly how it has worked up until now, more or less. The issue is that the original Microsoft SB key is expiring and old hardware, that's no longer getting firmware updates by the manufacturer, then the new key isn't going to be added ever. If those distros had a key included as well, they likely would have made its expiry a lot longer, because they support hardware for a lot longer. Microsoft doesn't care because Win11 can't run on most of these devices anyway.