Panelists covered this topic at around 36:51 during the live AMA. 

Was partly answered in the event. The most critical situation here is full-disk encryption with TPM against PCR7. If whatever OS does not initially install the certificates is using such full-disk-encryption, they won't be able to reseal TPM and need a recovery key on next boot.

As TPM based full disk encryption is is quite exotic on Linux, you most probably get into that issue if you configure fwupd on Linux to push a new Microsoft KEK (which latest fwupd has an option for) while dual-booting Windows with BitLocker (and not having booted Windows for a while so that one did not push it first).

Still, common scenarios with no TPM full-disk-encryption on Linux side and not trying fwupd with exotic options on Linux either should not run into any issues. Also, I guess most dual boot setups won't even use full-disk-encryption on Windows side either as it makes data transfers between the systems harder than needed.