eBPF is restricted when booted in a SB environment, but it's not nonfunctional. The default config puts the kernel into "integrity" mode of Kernel Lockdown, which reduces scope of access and enforces read-only usage.

Whether or not the specific functions needed to replicate this tool are impacted is beyond my knowledge.

I think this is a great point, eBPF is cool but probably less popular than ss