Secure Boot, under its default configuration, doesn’t actually prevent running a trojaned userspace off a USB stick. It tries to block trojaned kernels on a USB stick, and does every bit as bad a job of this as you would expect given the quality of the spec, the quality of the code, and the degree to which the problem is not very well defined.