There’s a discussion going on here, around the license file metadata, which might need addressing for SBOMs as well.
Basically, in a monorepo or similar project layout, it’s quite possible for license files to be stored outside of the project source tree, in another part of the overall repository. In that case, the restriction on files having to be under the project root is problematic.
I don’t know if SBOM data could potentially have the same need to be located outside the project tree, but if so, the PEP probably needs updating to reflect whatever solution is identified for the license file case.