That's not how UEFI capsule updates (which AFAIK is what modern Dell computers use) work. The update is written to the EFI partition, the computer reboots into an EFI updater which loads the update to RAM and tells the BIOS where it is, the computer then reboots again and the BIOS itself loads the firmware update from the staging location in RAM and writes it to flash (which is still unlocked at that point in the boot sequence). At no point does anything other than the BIOS write to the flash.
That's matches what I've observed on my ~2017 Dell XPS. On Linux with fwupd (and Windows), it would write the updater to the EFI partition and then set it as the default boot entry for the next boot. I had to manually add Dell's certificate to the EFI "db" variable when I switched to using custom secure boot keys.
