I tried to install TrioMode for the bandwidth-monitoring features until I realized it actually needs to run in the kernel, which is too much of security trade off for me to accept.
I guess for bandwidth-monitoring alone that may seem like an overkill. But it's a firewall too. The TripMode FAQ does point out:
> TripMode uses a macOS feature called “Network Kernel Extension” to be able to block apps from accessing the Internet. This is the Apple-endorsed way of managing network traffic on a Mac ... We notarize each TripMode for Mac release with Apple, which means that Apple guarantees that they are free from malware ...
I also found this discussion that explains a bit about why Mac firewalls still prefer to use a Kernel Extension on macOS - https://forums.developer.apple.com/thread/79590 (The developers of all the three popular firewall mentioned here - Little Snitch, TripMode, RadioSilence - have added their thoughts in that thread).
