You’re talking about the IDS/IPS problem. For it not to impact the kernel it would need to be a passive, read only system. But if you need it to be active to actively prevent threats it needs to have the same level of access a threat actor could gain. You can’t move everything to user space without a shit load of signing and things like TPM and SecureBoot which people have been decrying for years as “vendor lock in”. So at some point a level of trust or risk must be accepted.
You’re talking about the IDS/IPS problem. For it not to impact the kernel it would need to be a passive, read only system. But if you need it to be active to actively prevent threats it needs to have the same level of access a threat actor could gain. You can’t move everything to user space without a shit load of signing and things like TPM and SecureBoot which people have been decrying for years as “vendor lock in”. So at some point a level of trust or risk must be accepted.