you cant MITM HTTPS unless you're are doing it to yourself for testing.

Are you sure? It's pretty common for small tools like this to skip HTTPS certificate verification because of space constraints (typical CA trust root collections are around 100 KB in size). Since this is doing certificate verification of the downloaded file, HTTPS verification is usually redundant. If the HTTPS certificate verification is skipped then MITM of the HTTPS connection is trivial.

I took a quick look at the code and I'm not seeing the usual steps for certificate management, although I may have missed it.

> because of space constraints (typical CA trust root collections are around 100 KB in size).

Since shim is an executable in the ESP, which is a HDD or SSD partition, the space constraints are more relaxed (it's not a small SPI NAND chip).

Secure boot.