> TPM and Secure Boot do not reduce user choice or promote state or corporate surveillance

Now with remote attestation they do.

> installing their own root of trust and signing their boot image

Won't matter. They can tell we did this. They won't trust our keys. Only their own.