On top of loading kernel drivers, a lot of EDR vendors inject DLLs into every running process. The reason they had to do this is because even from kernel mode, certain security events simply aren't obtainable due to limitations placed by Microsoft. Let's say, for example, you want to know any time a process allocates executable memory (commonly used by malware to execute shellcode). There was for the longest time no legitimate way to track this.

So EDRs basically had to inject a DLL into every process, hook all the functions responsible for allocating memory pages, parse the parameters for flags that specify the memory as executable, then pass that info off to the main antivirus process via some kind of pipe.

Eventually, Microsoft upgraded their kernel to add an interface where the kernel would log these kinds of events, then security products could register to receive them from either user mode or kernel mode. This was added in (I think) Windows 10 1703, which was over a decade after they first tried to remove security products from the kernel.

But even today, because many enterprises are still running older Windows versions, EDR providers are still required to use legacy techniques like kernel callbacks and DLL injection. Additionally, the new events are read only. With DLL injection, if you detect a potentially malicious call you could intercept, redirect, or block it. Now you simply just get notified that the call happened, and just have to kind of figure out what to do next.