Microsoft, by default, decides which code is safe to run, yes.
However, that’s not the only way to use Secure Boot; I enroll my own certificates in addition to Microsoft’s, allowing code that I sign to be booted into. This requires some UEFI setup once.
For most machines, Secure Boot should never lock you out completely; you can always disable it, fix your boot chain and reenable.
I think it’s actually sensible technology, but as every security feature, it usually comes at the cost of some convenience.
Sorry for linking Reddit but https://www.reddit.com/r/bowlingalleyscreens/ has some hilariously dark animations