How would the attacker cause one of these modules to get loaded without already having root?

> This is a pedantry for the sake of it.

Par for the course for HN.

It’s radically different than on by default.

Having a service that automatically starts and listens on the network is radically different from having a module that a local administrator can load.

If you want to block module loads, you’re one sysctl flag away.