There are multiple possible configurations. Only the most basic will permit an arbitrary payload as you describe.

I've never been entirely clear about the security model when the signed shim is permitted. I assume I'm missing some nuance.

Disk encryption alone won't protect you from either persistent malware (remote) or evil maids (local).