Client running code should always be considered compromisable, that’s security 101. Relying on kernel module checks is a terrible practice, and not a fundamental guarantee of safety either.
Good, secure anti-cheat happens serverside. But that’s harder and less broadly applicable, so Epic doesn’t want to bother with it.