Media boot policy
Media boot policy is only shown on Mac computers with an Apple T2 Security Chip and is completely independent from the secure boot policy. Even if a user disables secure boot, this doesn’t change the default behavior of disallowing boot from anything other than the storage device directly connected to the T2 chip.
Historically, Mac computers have been able to boot from an external device by default. This approach would allow an attacker with physical possession of the device to run arbitrary code from the booted volume. The combination of protections like FileVault and SecureBoot make it so that there are no known architectural weaknesses through which an attacker running from an external volume can access the user’s data without knowledge of that user’s password. However, having even temporary arbitrary code execution can allow an attacker to manipulate the Mac in ways that can stage attacker-controlled data to exploit vulnerabilities that are unknown to Apple. Arbitrary code creation can thus possibly lead to a user boot being compromised and to subsequent user data compromise.
Apple changed the policy for external boot to default-deny, and to opt out on Mac computers with a T2 chip. On Mac computers without a T2 chip, users could always set a firmware password to opt in to this default-deny behavior. However, firmware passwords were not well known and received very little adoption. With this policy change, Apple is changing the behavior of the Mac to give the best protection possible by default, rather than putting the onus on users to opt in.