Yes, but being in the kernel makes it much faster, since you don't have to copy packets between user space and kernel space. It also allows you to use WireGuard from early boot, as well as allowing you to manage it like a real network interface (you can do this with TAP interfaces but it's less clean).
There is a userspace version available if you really don't want to use a kernel module (this is what the Android app uses if your kernel doesn't have WireGuard).
Also, WireGuard is an incredibly small program, less than 4000 lines. You could audit it in day, and has been extensively fuzzed (and was designed to be secure in many aspects). I would be far more worried about buggy network drivers than WireGuard.
In order to listen (and forward) all network traffic you need privileges over the network namespace that you want to forward packets for. In most cases this ends up with you running as root. You can use proxies but that defeats the point of a VPN -- that all traffic is forwarded.
But as I mentioned, WireGuard should really be the least of your problems (not to mention that there are userspace WireGuard implementations).
There are multiple advantages for having a VPN module be in-kernel, such as closer access to network/crypto APIs and better performance.