It’s to protect the user against malware that would insert itself in the boot chain and run at higher privilege than the kernel. Just booting a malicious ISO can insert malware in the boot chain without your knowledge. Once you’re in the boot chain, you boot before the kernel, so you can inject whatever drivers you want.
That’s particularly important on corporate computers where they don’t want users to bypass IT policies, but also important for the average Windows user that won’t stop loading malware on their computers. Without secure boot there’s nothing stopping you from forcing yourself local admin privileges or even silently exfiltrate data.
That’s been a thing forever: DOS boot sector malware for example. By only booting signed bootloaders and kernels, you can ensure this doesn’t happen.
I have a friend that abused an insufficiently locked down GRUB to root his workstation at work by using the init=/bin/sh trick to patch a SUID binary to make his own sudo.