Tumbleweed will enable Secure Boot kernel lockdown in the next major kernel update

So be prepared to enter MokManager after kernel update if you are using any third-party modules (in the first place, NVIDIA).

Actually, there could be interesting implications. As far as I can tell, NVIDIA package removes old certificates every time it (tries) rebuilding which happens on kernel update. If rebuilding fails and user accidentally agreed to removal of old certificates, then neither new modules (which do not yet exist) nor old modules (which now fail verification) will work. This problem does not happen for Leap where kernel ABI is preserved, and modules are built just once and reused for all future kernel updates.

Would be good if someone who has NVIDIA tested and documented various workflows.

The lockdown function be enabled in master branch of openSUSE kernel - openSUSE Factory - openSUSE Mailing Lists

Thanks for the heads-up arvidjaar.

Dumb question: No implications for legacy BIOS boot, or?

Right. It should not affect BIOS boot.