Practically all of the industry does it this way: vendor holds the keys.
That’s exactly the case with Purism too until you’ve re-build Heads with your own key - which is hardly something we could expect from an average user. And even if you did - I hadn’t wrapped my head around making this compatible with kernel updates which are still provided by Purism and signed with their vendor key. Do you have any point to enlightening reading per chance?