Why is Wireguard in the kernel?
It seems to me that a complex protocol like a VPN is always going to be subject to vulnerabilities due to coding errors. Even the bestest of coding magicians will make a mistake somewhere. So running this stuff at Ring0 seems only slightly less dangerous than, say a web server. Both are processing data from the wild west internet.
Would we not sleep a little better if it ran as a module in it's own security context?