From https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/signing-a-kernel-and-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel: “In addition, the signed first-stage boot loader and the signed kernel include embedded Red Hat public keys. These signed executable binaries and embedded keys enable RHEL 8 to install, boot, and run with the Microsoft UEFI Secure Boot Certification Authority keys. These keys are provided by the UEFI firmware on systems that support UEFI Secure Boot.”
Basically the Microsoft keys are ones that the firmware vendor (motherboard or chip manufacturer) recognizes as secure by default (via CA validation). You can override them. It’s not a Linux issue but a hardware-vendor-defaulting-to-Microsoft issue.
You’re not wrong, but unfortunately it’s not simple and can brick your motherboard if you make a mistake. I wouldn’t expect the average Linux user to do it these days. It can also depend on the hardware. If they don’t expose any ability to change the keys you’re stuck.