Presumably AppLocker is implemented in kernel mode because Microsoft realized that doing the whitelisting in user mode was more fraught with potential escapes. The kernel / user security boundary was one they were already defending (and leveraging hardware functionality in processor privilege levels) so creating a new pseudo-security boundary to defend in user mode was a bad idea.
Application-level permissions that aren't enforced by hardware seem like a losing proposition to me. I get that a belt-and-suspenders approach isn't unreasonable, so I guess it's not valueless, but I wouldn't have it as my only line of defense.
Application-level permissions that aren't enforced by hardware seem like a losing proposition to me. I get that a belt-and-suspenders approach isn't unreasonable, so I guess it's not valueless, but I wouldn't have it as my only line of defense.