Why could we not run kernel level anticheat in a sandbox? Does kernel level inherently mean a sandbox cannot contain it?

The linux kernel actually does have several sandboxing paradigms and techniques, but by the definition of anti cheat means that it cannot be sandboxed.

The anticheat essentially scans the entire system memory, filesystem, and loaded kernel modules to ensure the userspace software is not being tampered with. It would be impossible to do that in a sandbox, hence it breaks all the security standards linux has for kernel modules (ex: why would a wireless driver need to access a printer module?).

Even for windows, kernel level solutions are not very well suited to be running there. The recent crowdstrike outage is a notable example, because it did essentially the same thing but then a bad update bluescreened every machine because giving a kernel module complete access is almost like modifying the kernel itself.

As an aside is kernel level anticheat required for anti-cheat to function? Or are the developers of anti-cheat software just doing kernel level because its easier?

It’s not required to function, but kernel level anticheat is just harder to bypass (still doable). They’re choosing kernel level because it’s cheaper to slap on a 3rd party AC than to make effective server-side software and pay for server moderation. Even Valve is hesitant with their VAC 3 system, even though it has been a major upgrade, it still requires manual moderating.

The thing is, most devs have finally realized kernel level anticheat still isn’t an effective solution, so they have been fine with the userspace anticheat on linux and opting for server side stuff. It’s just these last few holdouts that refuse to budge because they don’t value the linux market (yet).