That's not really the case. The kernel-much like a police force-is not a monolithic entity, there are various parts of the kernel that get information before others. eBPF does let you "hook" various parts of the kernel, so that you can get an "exec" event from before the exec actually happens (you can't stop it, though, so even this is somewhat dubious). But someone in the kernel can intercept the hook itself, or uninstall it completely. In the police analogy even if you have a friend in the force that you know is good, they are still part of the police. Even if the first thing they do when they get information is share it with you, there's no guarantee the dirty cop isn't sitting in the mail room ready to shred things before they get it.
