I've spent years of my professional life building KMPs with proprietary modules *and* secure boot support. It can be done, and it's possible to make it work almost hassle-free for end users. Granted, I had the bonus that my signing key was pre-loaded in the BIOS of the servers my former employer sold. But that's just a single, once-in-a-system-lifetime MOK operation away. For NVidia, it "just" takes someone willing to take the legal risk of distributing the drivers in proper KMP format.