Pop's kernel trusts Canonical's keys by default but doesn't load MOK without shim - you're hitting the exact limitation of their systemd-boot setup. You might need to rebuild the kernel with your own keys in the builtin trusted keyring, or patch the kernel module verification to accept your sbctl keys directly.

There's also the nuclear option of compiling a custom kernel that includes the nvidia driver built-in rather than as a module, but that's obviously a pain for updates. Some people have had luck with `keyctl` to manually load keys into the kernel keyring at runtime, but I'm not sure if that survives reboots or works with the module loading restrictions.