Hundreds of UEFI products from 10 vendors are susceptible to compromise due to a critical firmware supply-chain issue known as PKfail, which allows attackers to bypass Secure Boot and install malware.
Sounds like this is completely about the preloaded PKs, so if you set up your own secure boot with your own keys then you're probably fine because you would have cleared out the OEM keys right?
If the bios is locked you can't modify the enrolled keys - that's the point. The guide you linked assumes the bios is already set to enroll mode, which requires unlocking it.
The result is that without the bios password (or a bios in default state) you can't change the settings.
I have my laptop set to only allow booting internal drives and to verify with my own enrolled keys. The only way to bypass it is to use something like ventoy is to unlock the bios and use the one-time boot menu or to enroll their key or sign ventoy with your own key.