Any failure to get to the expected desktop must be investigated. No exceptions.
If you ignore red flags, yeah, you are going to get owned.
Windows doesn't do that normally, it doesn't reboot after installing updates during the boot. It can only happen if the computer crashes during update install, which again, is rare and a red flag. So it's not like every week you will need to send your computer to investigations during update installs.
But of course, the evil maid can just implant your keyboard.
What if the USB Linux stick loads the NTFS partition and runs the entire Windows OS inside of HyperV? Are users supposed to learn VM escape shellcode to check their PC each time? ("You fat-fingered your shellcode? Well you deserve to be owned!")
The TPM machine check would fail in that case and the TPM would refuse to provide the crypto keys to decrypt the copied NTFS partition. That's the whole purpose of SecureBoot, to detect hardware/software changes (including HyperV).
If you ignore red flags, yeah, you are going to get owned.
Windows doesn't do that normally, it doesn't reboot after installing updates during the boot. It can only happen if the computer crashes during update install, which again, is rare and a red flag. So it's not like every week you will need to send your computer to investigations during update installs.
But of course, the evil maid can just implant your keyboard.