Let’s put ourselves in the evil maid’s shoes, which is the primary threat model of Secure Boot:
- open device (may blow some fuse, e.g. in (some) Thinkpads, but no guarantees)
- extract boot SSD (another possible but totally optional fuse)
- put malicously crafted JPEG, which exploits some 0-day, on /boot
- tweak grub.cfg to make GRUB2 attempt to load said JPEG
- put it all back and wait till next boot when the Trojan Horse inside said JPEG will intercept the FDE passphrase
- profit (unless the owner is one of the lucky ones who even have said fuses mentioned above)
So users don’t even need to use such grub features for them to be at risk. The mere availability makes GRUB2 vulnerable.