The fact that an unprivileged local user can poke at the esp4/esp6 modules and use a simple splice() call to corrupt the page cache of a root binary is absurd. We are still shipping monolithic kernel configurations as if we are in the 90s, where every machine needs the potential to do everything.
Defaulting to a monolithic module load just to make container deployment slightly easier is a massive violation of the principle of least privilege at the kernel layer. OpenWRT had the right idea ages ago: strictly compartmentalize the modules. If a server isn't actively terminating IPSEC tunnels, the kernel shouldn't even know what an ESP packet is, let alone have the fast-path decryption logic loaded in memory waiting to be abused.
Attack surface reduction isn't just about closing unused network ports anymore; it's about stripping the kernel down to a zero-trust execution footprint