Yes, it's usually a filter driver that delays execution until something like a hash is checked or other rules evaluate. Some products hash every interesting/executable file on the PC. They're powerful tools but can be extremely performance-sapping.

Microsoft has AppLocker (since Win7, I think). If you give it a curated whitelist it's actually quite alright and manages well via GPO. (until you manage to lock yourself out ;) Much less overhead than any 3rd party tool that hooks the kernel.

True ... my company recently started deploying endpoint protection like crowdstrike, beyondtrust, zscalet onto our macs and these have slowed my machine considerably. They somehow spike the CPU just when I am doing something important.