An insecure default to allow UEFI Shell in EDK2 was left enabled in LXD. This allows an OS-resident malicious user to bypass Secure Boot.