That is true and again, if that is realistically within your threat model, then act accordingly. That is not the point of my suggestion though, please refer to the last two paragraphs of my previous post.
Of course, I just only mentioned Intel BootGuard only for simplicity’s sake. Other factors are important if your threat model involves attackers trying to get physical access. DRAM memory encryprion, DMA protection, pre-boot DMA protection, firmware rollback protection, AEM and others.
Trenchboot can already be used as the AEM provider in Qubes using Intel or AMD CPUs but only on legacy boot. They are still working on UEFI compatibility and upstreaming their changes.
I didn’t say that. The majority of users do not have state actors as their threat model and would not require unfused Intel BootGuard. Again, referring to my previous post, my suggestions are for providing reasonable security for the majority of users with an average threat model. There is a discussion about flaws with Heads here.
I don’t think Heads is the way to go. When Qubes supports Secure Boot and TrenchBoot supports UEFI and upstreams it to Qubes. Combining this with hardware that implements HSI:2 or above, that would be the ideal setup for average users imo.