> To that extent can't kids just pop in a live USB and get a totally ephemeral and open os?
That's a lot more difficult if you leave secureboot enabled on the computer. Plus, most devices, especially newer ones, allow you to pin your own certificates and sometimes even disable the OEM certs.
That, in addition with locking the BIOS with a password (and if the device does not have known OEM override passwords like on bios-pw.org), should be more than enough to keep a kid out.
That's a lot more difficult if you leave secureboot enabled on the computer. Plus, most devices, especially newer ones, allow you to pin your own certificates and sometimes even disable the OEM certs.
That, in addition with locking the BIOS with a password (and if the device does not have known OEM override passwords like on bios-pw.org), should be more than enough to keep a kid out.