So be prepared to enter MokManager after kernel update if you are using any third-party modules (in the first place, NVIDIA).
Actually, there could be interesting implications. As far as I can tell, NVIDIA package removes old certificates every time it (tries) rebuilding which happens on kernel update. If rebuilding fails and user accidentally agreed to removal of old certificates, then neither new modules (which do not yet exist) nor old modules (which now fail verification) will work. This problem does not happen for Leap where kernel ABI is preserved, and modules are built just once and reused for all future kernel updates.
Would be good if someone who has NVIDIA tested and documented various workflows.