In Windows there is the Windows hardware dev center, and you can sign your drivers to distribute via Windows Update. Why Canonical doesn't have (or it has??) a hardware dev center, where NVidia can upload their driver and build it. Why it HAS (is it mandatory to build it locally with DKMS??) to be built with DKMS on user's machine? Secure boot doesn't work that way because the driver isn't signed.

https://docs.microsoft.com/en-us/win...ease-signature