@Suiseiseki if you get a modern intel processor OEM system it's designed to be electronically incapable to running unsigned UEFI firmware (intel boot guard)
These protections aren't 100% perfect but they do seriously work and make attackers lives so much harder, often just not worth the effort
as example from that same wiki page here's how even NSA's SMEs were affected by storage drives starting to secure vendor-commands/firmware around that time, it fucked them up
Not even just governments even ransomware groups (eg trickbot) have dipped their toes in UEFI stuff, if vendors allowed installing custom UEFI firmware we'd have ransomware campaigns except granny would have to throw out her physical hardware instead of just reinstalling windows