Or do what Apple does, disallow kernel extensions, and provide rigid kernel faciltiies for VPN clients, EDR agents, etc. to use, so they don't have to implement custom code resident in the kernel.

Apple can disallow kernel extensions because it fully controls the entire hardware and software stack. Everything that would need to be an extension is already in the kernel and Apple knows all of those things.