@aktivismoEstasMiaLuo @ashwinvis @strypey

There's no good answer here: kernel code offers much better performance but isn't confined as much as userland code. This is precisely why high-performance code such as Wireguard is better implemented in kernel.

Security always comes at a performance penalty - there's actually a recipe on how to speed up your Linux box by turning off all the SPECTRE/MELTDOWN mitigations added over the last years https://make-linux-fast-again.com/