grml-debootstrap currently installs grub-efi-amd64-signed when building an image with EFI boot support. However, it does not install grub-efi-amd64 itself, which means that the actual GRUB installation won't be updated when the GRUB package is updated. As the grub-efi-amd64-bin package description warns:

 This package contains GRUB modules that have been built for use with the
 EFI-AMD64 architecture, as used by Intel Macs (unless a BIOS interface has
 been activated).  It can be installed in parallel with other flavours, but
 will not automatically install GRUB as the active boot loader nor
 automatically update grub.cfg on upgrade unless grub-efi-amd64 is also
 installed.

grub-pc, on the other hand, is installed by default, which means that the BIOS bootloader will be updated properly. Sadly grub-pc and grub-efi-amd64 can't be installed at the same time, so you can't have both bootloaders be continuously updated. Of the two, I'd argue the UEFI bootloader is the more important one to keep continuously up-to-date, because it's the one that has Secure Boot implications, while grub-pc doesn't.

Furthermore, while grml-debootstrap installs the bootloader to the removable media location by default using the --removable switch, the grub2/force_efi_extra_removable debconf variable isn't being set. This means that even if grub-efi-amd64 is installed, the fallback bootloader won't be updated when GRUB updates, potentially leaving security issues.

(Note: This isn't an issue that can be solved entirely in grml-debootstrap. In my testing, even installing grub-efi-amd64 and setting the debconf variable correctly wasn't working to get UEFI bootloader updates to work on an image built with grml-debootstrap. I don't understand why, but suspect it may be a bug in Debian's grub-efi-amd64.postinst script.)