You can make precisely the same argument for network services. Who knows, maybe you need telnet and UUCP and NFS and ftpd running on your system?... why should the distro maintainer decide?

Well, because you probably don't, and it's a security risk, so no need to put millions at risk for the benefit of that one person who wants to tinker with packet radio or whatever. Similarly, it would be prudent for distros to not allow autoloading of modules that are extremely niche while giving a simple way to adjust the settings if you want to. God knows they have plenty of GUI configurators and config files already.

Now I think about it, it's kinda weird if non-root users can cause kernel modules to get loaded, without any hardware changes having happened.

If the kernel modules for esp4, esp6 and rxrpc aren't loaded - how is it that a non-root attacker can cause them to get loaded?

Don't disagree, but there are eBPF mitigations that work as alternatives to unloading kernel modules.

>Distro maintainers blacklisting specific functionality because they believe YAGNI is a pretty big ask

We have forgotten what a distro is, and its modern corruption of the concept is now taken as the definition.

Distributions weren't meant to be competing generic universal bundles of userspace tools in addition to the kernel.