A UKI is a kernel+initramfs+boot-arguments bundle all as a single WinPE/UEFI executable using the "EFI Stub Loader".
You configure your system firmware to execute it, passing no arguments. It boots using the command line you set earlier. It's signed, and verified by the platform secure boot.
It doesn't, it's just another bootstrapping method that happens to work fine with hibernation.
UKI allows you to extend your chain of trust from the bootloader to ramdisk, instead of just your bootloader and kernel. From there, you can enable kernel lockdown and checking of module signatures if you want to.
I think you can do the same thing without UKI (I forget tbh), but UKI simplifies it with one UEFI executable that doesn't even need a bootloader.
The swap file that memory is dumped to during hibernation is on an encrypted disk. Upon wake, you need to unlock the disk before you can resume from hibernation.
This may or may not apply to your situation, but at least some motherboards have an integrated bootloader. You need to register the options with it (via efibootmgr for example). Then pressing a key (check your manual) presents you with the options.
This has worked with both Linux and Widows on all my machines: handbuilt 3rd gen intel with an asus MB, 6th gen with some msi, 10th gen with a cheap Gigabyte, and an assorted bunch of HP Elite desks and books with intel and AMD.
I understand there’s even a way for them to auto detect the options, but since this has been a set it forget it type thing, I never bothered to look into it.
