Yes, grubbls (or, more precisely, GRUB2 blscfg/bls_import commands) ignore any BLS entry without linux key. And (open)SUSE grubbls is built to only parse BLS entries, it ignores “normal” grub.cfg.
Pragmatic solution is to use systemd-boot which offers more functionality. In particular, it will (try to) auto-detect Windows EFI bootloader and add it to the menu. TBH I still do not understand the purpose of grubbls when systemd-boot already exists.
There is no abstract security. You need to start with your threat model and what you are protecting against. In particular
you apparently confuse “security” with “convenience”. With grub2-bls/systemd-boot the initrd is unprotected on the ESP. Anyone having physical access to your system can add malware to the initrd (e.g. logging your LUKS passphrase or installing root kit). So, without any further measures the grub2-bls is less secure because it does not protect against at least one class of attacks that the standard grub2-efi does.