I can confirm this issue - after upgrade on 21.06.2021, Secure Boot no longer works. Signing the third party kernel modules reports no problems, but the signed modules are not loaded on boot. Issue appears to be that the MOK isnot available during and/or after boot.
host:/# mokutil --list-enrolled
MokListRT is empty
Using mokutil to reinstall the MOK works in that the correct user
key is visible in the EFI utility during the next restart, but after
boot the output of mokutil --list-enrolled is unchanged (MokListRT
is empty). Booting an older kernel (which was working without
problem prior to the upgrade) does not change the behaviour on boot.
This indicates to me that the problem is not related to module
Downgrading shim by downloading the relevant packages from snapshot.debian.org and rolling back results in a system where the MOK is correctly listed by mokutil --list-enrolled:
host:/# apt-get install shim-signed=1.33+15+1533136590.3beb971-7 shim-signed-common=1.33+15+1533136590.3beb971-7 shim-unsigned=15+1533136590.3beb971-7+deb10u1 shim-helpers-amd64-signed=1+15+1533136590.3beb971+7+deb10u1
After this downgrade, the nvidia driver modules were loaded on next boot. The virtualbox modules could only be loaded after re-signing with the MOK. Once this has been done, the system boots normally on subsequent restarts. Following the same procedure and updating from version 1.33 to version 1.34 showed the same behaviour as for 1.36 - mokutil --list-enrolled reported an empty list.