I wish this either exempted root, or was a sysctl that root could turn off at runtime. Boot-time-only parameters that restrict root, combined with the ongoing efforts to make the kernel command line part of what gets signed by Secure Boot and measured by the TPM, feel like more attempts at tivoization and iOS-ification of Linux.