I will try to explain it from the basics, because there are so many misunderstandings. You turn on your computer -> EFI image -> grub -> initrd -> LUKS decryption->boot.
Currently there is zero guarantee that your system is not compromised even if you use Full Disk Encryption.
Where are the places that ubuntu is vulnerable?
Basically the first three steps after turning on your computer.
How can we change that?
For the first step: With secure boot you can guarantee that Everything up to and including grub is verified on boot.
But an attacker could just edit your /boot partition itself and still have a persistent rootkit on your machine.
How do we fix this? By encrypting the /boot partition and decrypt it with grub. (1)
The result? A chain of trust.
(1) An alternative here is to implement a system such as in the secure boot link I posted, where every kernel and initrd is individually signed and verified using a key in the hardware TPM (if your machine has one).