You’re welcome!
ZFS + SecureBoot on NixOS via lanzaboote works already out of the box because we don’t enable module signing in the kernel because it breaks reproducibility of the kernel. This is an open problem to achieve this in a smart way (i.e. reuse the SecureBoot PKI or something) and we won’t tackle this soon because we want to streamline the experience without module signing first.
Module signing will happens when we may offer “default” NixOS images with SecureBoot.
I will put it in a polite way but GRUB is a very problematic bootloader which I advise you strongly to not use it anymore. Anyone is free to support GRUB usecases in nixpkgs and NixOS and lanzaboote but I have yet to see people show up for the work except from people who also wants to avoid GRUB, like me.
systemd-boot is the blessed bootloader for now, U-Boot will have a backend support too and finally one of our community member is working on a potential GRUB replacement in Rust, but this is probably going to take a while before it can be used.
I may release in the future a mechanism to have legacy systems work like UEFI systems via an UEFI compatibility layer using U-Boot, but this is a very experimental project at the time.