I agree. Even GRUB developers agree:
https://www.gnu.org/software/grub/manual/grub.html#Security
By default, the boot loader interface is accessible to anyone with physical
access to the console: anyone can select and edit any menu entry, and anyone
can get direct access to a GRUB shell prompt. For most systems, this is
reasonable since anyone with direct physical access has a variety of other
ways to gain full access, and requiring authentication at the boot loader
level would only serve to make it difficult to recover broken systems.
However, in some environments, such as kiosks, it may be appropriate to lock
down the boot loader to require authentication before performing certain
operations.
Unfortunately, Trisquel has had a GRUB password by default since Trisquel 4.5
Slaine. Here is an old argument I had with RĂºben (Trisquel's leader) back in
2011: https://trisquel.info/forum/how-come-trisquel-dont-have-recovery-mode
Since then, dozen of users on the forum (probably far more overall) have had
to fight against this password: https://trisquel.info/search/node/01_password
