Just running in userspace doesn't necessarily give you an inherent security advantage, especially if running as the primary user on the system. However, many more facilities exist to isolate and sandbox userspace binaries to protect against exploits. For instance: take a kernel filesystem driver, port it to FUSE, and run the actual process that does filesystem parsing inside of a seccomp sandbox that only has permission to read and write the mounted device and respond to FUSE requests. Then, even if that filesystem parsing got exploited, the exploit can do very little to harm the system. It could crash, slow down filesystem accesses, serve up arbitrary file content (already possible if you control the filesystem image), or burn CPU, but it can't make arbitrary system calls and can't easily escalate privileges.