Arch user here. These things work much nicer than any of the previous alternatives. Sure, kernel signing is a bit of a mess, but that's more of a product of how key-signing at a low-level works than anything. Cryptsetup, cryptenroll, unified kernel images, and systemd-boot worked for me out of box.
They very much did not for me. I beat things into shape with sbctl but it was very much an uphill battle.
idk why Arch seems allergic to packaging shim-signed (it's an AUR, why would I trust such a key component to essentialy a stranger?), but here we are I guess.
you can inspect the PKGBUILD file very easily. it's same as alpine's abuild and various other build file formats from distros. don't just blindly build it
