I’m not sure that’s necessarily true with enforcement of driver signing.
The latest OS kernels typically make some effort to resist arbitrary code injection even by the system administrator and sometimes goes even further against an attacker with a read/write primitive on the kernel. Linux with secure boot will refuse to load unsigned kernel modules for example.