The user cannot create exceptions on secureboot.Ex:Ubuntu and fedora need to create keys.
Using public keys is not a exception because it needs a cenrtificate authority.

8. Set appropriate value of gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize
for security feature relative databases which uses EFI Variable as storage.
Each database stores in a single variable, the maximum variable size is
defined by PCD value of gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize.
Database categories include:
1) PK database: only one entry for public key of PK plus header info.
2) KEK database: multi-entry for public key of KEK plus header info.
3) Authorized signature database: multi-entries for authorized signatures
and one entry for root X509 certificate, plus header info.
4) Forbidden signature database: multi-entries for forbidden signatures,
plus header info.

NOTICE: Typically the size of one X509 certificate is ~2k, which may exceed
the default maximum variable size. Please adjust the value by PCD if
needed.

9. Set a platform policy of image verification by PCDs.
User can customize platform policy of image verification by PCD value
before build a platform. In [PcdsFixedAtBuild] section of SecurityPkg.dec
file, set the PCD value for each type of device accordingly.

For example, if the platform policy is defined as:
1) Trust all images from OptionROM.
2) Validate all images from removable devices and deny execute when security
violation occurs.
3) Validate all images from hard disk and query user to make decision when
security violation occurs.

Just because someone implements feature in a bad way doesn't mean that feature or standard is bad. Abuse is no argument against proper use. There's absolutely nothing in the standard which would prevent the addition of exceptions or new public keys into the firmware by an end user. Some providers likely will, some won't. Vote with your wallet.

A security feature has the purpose to protect the users and not restrict them.

Even a trusted software from user does not have a key,the system should create a exception system to install the software ,like browsers do.The browser asks the user about the exception.

Nonsense, it was never meant to, plus it's impossible to do really. Is bash a bad standard because it doesn't write it's own scripts?

What it does is ask weather X binary object contains a valid signature based on the keys in it's database, and loads it conditionally based on the answer. So far as I can tell, it is at least a passable standard for what it actually is mean to do.

Yes ,but secure boot is bad standard because they cannot see the difference between a operating system installed by the user and a virus.

Good, I hope Secure Boot locks out all the garbage blobs that are infecting our systems today.