But bpf(2) isn't the only entry point for bpf filters in the kernel. Unprivileged user programs have access to the SOL_SOCKET SO_ATTACH_FILTER sockopt, as well as the PR_SET_SECCOMP SECCOMP_MODE_FILTER prctl. Now, these take cBPF programs, not eBPF - so they don't have all the fancy programming features that bpf(2) has - but they're still "code running in the kernel".