Well, no, for /boot it was only a theoretical concern, I don’t know a way how to exploit it there.
That is where I don’t get your reasoning. An attacker writes a file, for it to be automatically executed.
Whether that file replaces an existing file, or is new, but tricks an existing file into loading it, is a very academic distinction.
I understand there are other kinds of attacks that need other tools. But to me, that’s still the same attack.
Isn’t the fix for this (notice files that don’t have a checksum recorded) equally trivial than the workaround for the attacker (don’t overwrite files)?