alt Hacker News> psc uses eBPF iterators to read process and file descriptor information directly from kernel data structures. This bypasses the /proc filesystem entirely, providing visibility that cannot be subverted by userland rootkits or LD_PRELOAD tricks.
Is there a trade off here?
I found this justification dubious. To me the main reason to use eBPF is that it gives more information and is lower overhead.