Integrity doesn't restrict ebpf. Confidentiality is for cases where you're doing stuff like using EVM to prevent offline attacks, which involves the kernel holding a key and using it to sign all files. This can be circumvented if you're able to just scrape the secret out of the kernel.