EDIT: Just noticed your mention at the bottom of the post, feel free to disregard this
1. I was more familiar with the relevant kernel APIs/techniques
2. ptrace adds a 2x (3x?) overhead to each syscall and works on inferior processes only
3. I want KRF to eventually fault ptrace(2) itself!
They do, however, show that eBPF can be used to detect changes to particular files and alert the user/provide feedback when that happens. That's extremely useful, although not the same as actually denying that change (which would require modifying the syscall itself).
Edit: I just watched up to the point when they discuss `bpf_probe_write_user`, which I didn't know about. Looks like you can indeed use that to do much of what I'm interested in!
Perhaps soon it will be able to, though! See the "seccomp trap to userspace" patches.