I can't find a primary source for the comment in the tweet, but it seems widely regarded as true at this point, so fingers crossed it pans out that way.
Hm, interesting. I can't seem to find my source anylonger either. The wording "kernel" does suggest to me that this is about a check a bootloader performs. If you were to boot another OS, you'd probably have a different boot loader as well.
This tweet https://twitter.com/never_released/status/133243677102043545... from the same author suggests M1 is "not any more locked down than [...] Intel", so I'm not fully sure about the technical details, but in the end you should be able to boot your own code.
The lowest security level, permissive, allows to mess with the Secure Boot policy at will.
When you use kmutil to add a custom boot entry, enrolling the hash of your executable to the Secure Boot policy is handled automatically as part of the tool.
