The user can change anything they want, but a process launched by your user doesn't inherit every user access by default. You (the user) can give a process full disk access, or just access to your documents, or just access to your contacts, etc. It's maximizing user control, not minimizing it.

I am talking about removing the ability to install kernel extensions.

As for full disk access, go try and remove Photo Booth from you Mac.

The user isn't being restricted. Third-party software is being restricted, by default, and those restrictions can be disabled by the user.

This is a feature not a bug in the enterprise.