Kernel modules require root privileges to load and the Linux kernel's philosophy (pre user namespaces lollllll) was that root -> kernel privesc didn't matter.
Of course it would be nice if every app can load up its own untrusted eBPF code and for the kernel to not be compromised. But why such high standards, where else is that the standard to go for? Seems perfect is the enemy of good.