When using UEFI secure boot you typically boot into the shim (signed with a certificate OOB-trusted on almost all PCs), which verifies the integrity of grub and then passes on control to that.

Without secure boot, I don’t think there is any need for the shim, but if it’s still used or not in those cases, I do not know.