If you've whitelisted an application that can execute arbitrary code (like the Office products with VBA) then SRP can be bypassed by an unprivileged user.
Presumably AppLocker is implemented in kernel mode because Microsoft realized that doing the whitelisting in user mode was more fraught with potential escapes. The kernel / user security boundary was one they were already defending (and leveraging hardware functionality in processor privilege levels) so creating a new pseudo-security boundary to defend in user mode was a bad idea.
Application-level permissions that aren't enforced by hardware seem like a losing proposition to me. I get that a belt-and-suspenders approach isn't unreasonable, so I guess it's not valueless, but I wouldn't have it as my only line of defense.
