In many bpf-using programs, bpf is setup before privs are droppped, then locked, and then no significant ioctl's are done after that. Meaning, which bpf is being setup -- the program is still fully root, has no lockdown, etc, and the bpf programming component is probably not the riskiest aspect...
So please show the userland diffs that use this.