This is "a service that automatically starts". That's what automatic kernel module loading is for!

It's not any different from putting an always-running network service behind socket activation instead. The security boundary/risk is nearly identical between the two.