Certainly an unorthodox grub hack, but it’s replicatable and it works. Maybe in the future systemd boot or the refind will gain the features I want. Until then, only grub offers what I want.
If a grub update ever breaks this, or maybe just to futureproof this, then I’ll probably just use Arch’s PKGBUILD, makepkg, and patch tools to patch the grub_efi_get_secureboot function of sb.c so that grub always thinks it’s not in secure boot. And maybe put that version on the AUR.
I think this post is you learning the hard way, there’s no such thing as a one step process in Linux.
No, this post is me proving everybody who told me to switch away from grub, (despite my insistence that only grub has the features I need) wrong.