For other things such as a malicious script I would use SELinux, IPTables owner module and auditd to see what is going on and to limit what can be done. This assumes one removes the unconfined_t types and assumes a file if running as root. None of those things dynamically execute code by design. That said my question is around file-less behavior and monitoring. As far as I can tell there is zero monitoring unless to your point you build it yourself and have custom eBPF code running all the time. I would not expect this to be a common pattern.

A vulnerability in this space is entirely different in my view. If a Linux workstation is browsing a watering hole that tries to exploit eBPF the code is injected directly in the network stream with root permissions and never touches the storage unless it wants to. This could theoretically be a wonderful way to chain exploits and hand them over to undocumented CPU instructions or monitor a victims traffic or block their access to a site and they would be none the wiser and no audit trail or a need to elevate privileges. This is always running in the background as root and monitoring all the traffic and can dynamically execute instructions on the fly based on network input.

Outside of eBPF this would require exploiting the persons web browser then elevating privileges and making changes to the system with calls that could be monitored or even blocked with existing tools such as SELinux, Firejail, auditd and so on.

So I guess ultimately my questions are: Where are the monitoring tools and mandatory access controls for eBPF? Or if there is no answer for that then my question would be: What is the kernel boot option to entirely disable eBPF? It appears I can only change the JIT settings.