How is secure boot stopping them from overwriting my kernel image on the first place? Won't it just report that the kernel image was tampered and thus you cannot boot to the system?

It does nothing to prevent overwriting the kernel image.

If secure boot is operating as designed, the boot loader will refuse to boot the replacement kernel (because its hash is not on a list).

Now if you ask, how is secure boot stopping an attacker from overwriting libc or some other important system library? the answer is nothing is stopping it on Linux, but on ChromeOS, MacOS, Windows and the two mobile OSes, the secure-boot machinery has been guarding against that for years.