Yes, preventing the boot process when something tempers with the files is the whole point of secure boot.
And beside the backups you should always have (remember: no backup, no pity for you…) the keys to sign your EFI files with are on the encrypted disk so the running system can get updated. So deactivating secure boot again, unlocking your encrypted disk from some live boot stick and fixing it is always an option (as is having a live system at hand signed by the same keys if you want to…).
Yes, preventing the boot process when something tempers with the files is the whole point of secure boot.
And beside the backups you should always have (remember: no backup, no pity for you…) the keys to sign your EFI files with are on the encrypted disk so the running system can get updated. So deactivating secure boot again, unlocking your encrypted disk from some live boot stick and fixing it is always an option (as is having a live system at hand signed by the same keys if you want to…).