That's not totally a given anymore with so many UEFI laptops capable of Secure Boot. They additionally mentioned android as a use case for this which also generally comes with a locked bootloader among other boot chain security features.
You can build the kernel as an EFI module (using EFISTUB) and have EFI verify its signature. Most new laptops do support this and an increasing number of desktops and servers do too. In this case, some users may be surprised to find that even though they used ext4's encryption on /, someone can still modify the inode table since it remains unencrypted (though I could be reading the article wrong).
