I do not know about all of the details of secure boot which you are interested in, someone else will need to provide a full answer, but some basic info follows…
CBoot is used anyway (this is an early boot stage), but the question is more one of whether content being loaded has signing enforced based on a private key. Certainly all of the bootloader stages (including CBoot) will require signing for the content to be allowed when the secure boot is enabled, but the rootfs itself will not use signing. It is up to the earlier stages to load only the correct content.
The initrd might be considered a rootfs, one that happens to be a cpio tar archive instead of an ext4 filesystem. The methods used by earlier boot stages to determine which content to load as initrd might enforce something. Presumably, if your boot content is guaranteed authentic, and if your boot content only loads the correct initrd, then everything up to that point is guaranteed up to the strength of the signing. That initrd is yours though, and you might choose to add something like filesystem encryption prior to the pivot_root. The pivot_root itself ends the life of the existing initrd and transfers life to the ext4 filesystem. At this point it comes down to your creativity as to what occurs during that pivot_root to ensure valid content.
One variation which some people consider is having a read-only rootfs which becomes the backing to OverlayFS.
NOTE: CBoot runs regardless of whether U-Boot is used or not.