MS's pluton is in every new CPU.

And? Just, uh, boot without secure boot and patch things until they work again without enforcing code signing? The only way this sort of thing could be possibly partially enforced is by remote attestation for apps that depend on a server to function. So do what iOS jailbreaks did, except you don't need a vulnerability to start because secure boot will always be optional.

Secure boot will not always remain optional for windows.

And how could that possibly be enforced?

Same way it works for anti cheat.

The whole point of anti-cheat is to provide some sort of proof to a game server that your client is unmodified. What would be the server in this case?

Who decided that secure boot can't be made mandatory on x86 systems?

Microsoft.

They can reverse their decision at any time. Inasmuch as you are able to boot Linux on your PC, it's only because Microsoft deigns to allow it.

>only because Microsoft deigns to allow it

Other operating systems could still collaborate with manufacturers to have their key be trusted.

But manufacturers won't cooperate. One OEM (Asus?) once cited a price of like $16M to trust one key. The price for Microsoft is nothing because Microsoft can say "trust our keys or lose Windows certification".

Good thing they’re trying to move off x86, then

I was under the impression that Secure Boot was a lot of the reason behind Windows 11's TPM 2.0 requirement.

That requirement isn't technical though. It's purely a marketing one. You can still install Windows 11 on a TPM-less machine and, for all intents and purposes, it'll work just fine.