Simple wire protocols, including cryptographic ones, are not concerning. They are easy to validate and do not operate on complex inputs, which is why something like Wireguard can exist in the kernel.
The issue is complex super-protocols like TLS, with handshakes, negotiations, numerous operational modes and so forth. Splitting this so the kernel only sees a simple wire protocol - with anything involving complexity and decision-making happening in user-space - removes any concern.
The issue is complex super-protocols like TLS, with handshakes, negotiations, numerous operational modes and so forth. Splitting this so the kernel only sees a simple wire protocol - with anything involving complexity and decision-making happening in user-space - removes any concern.