After discovering and working around a bug in grub2-set-password, I am now able to set password protection for grub2 in Fedora 38. While this method asks for a password when trying to edit a grub menu entry with 'e', it does not stop a regular user from booting non-default grub entries.
Grub 2.06 documentation states that
Superusers are permitted to use the GRUB command line, edit menu entries, and execute any menu entry.
The problem is the last action: stopping the execution of non-default menu entries without password. In Fedora 38, after password-protecting grub, a superusers group is indeed created, but I can still execute non-default menu entries without password.
I can see that password protection for grub menu entries is effectively disabled by each individual file in /boot/loader/entries/. Every file sets grub-arg --unrestricted, which according to Grub 2.06 documentation means that there is no restriction as to who can boot that entry. I also found a discussion indicating that Fedora patches grub to combine it with Boot Loader Specification (BLS). This suggests that the issue could be very much Fedora-specific. More information on this feature in Fedora can be found in the Fedora change description on BLS.
I can also see that grub_arg --unrestricted has been hard coded into the new version of grubby, which is just a bash script in F38.
So the question is: For non-default grub entries, how does one correctly override grub_arg --unrestricted, which is hard-coded into grubby?
