The key enrollment that Mint did sounds like registering the Machine Owner Key (MOK). That basically tells the bios that anything signed with that key should be permitted. The MOK is especially required when compiling your own drivers. Anything shipped by a Linux distro should already be signed so that the shim will permit it. SecureBoot is more about making sure your boot files haven’t been tampered with rather than being about preventing the owner from doing something.

You should already be able to boot any modern Linux OS that has support for SecureBoot. Only if you compile your own drivers or kernel would you need to use a MOK. If you do need that, you should be able to enroll another MOK or copy the MOK key files from the Mint install and use those keys to sign drivers in any other Linux distro.

The cli program mokutil will let you view and export your enrolled MOKs.

Use brew to update the core Unix utils such as bash, tar, sed, etc to the latest GNU releases. The mac has really outdated BSD-based versions.

It’s common in the US Tech industry. It’s considered “voluntary” because you could always say no and find a different job, or you could negotiate the removal of that clause. Often at the beginning they give you an opportunity to list your existing obligations that would be exempted. Always read the fine print of your employment agreement.