Assuming someone manages to first get root, can kernels only allowing signed modules to be loaded (Talos does that if I'm not mistaken, for example) prevent that stealth rootkit from being loaded? Or can root just bypass that check?

Or is the only line of defense a kernel compiled without the ability to load modules?

I know all bets are off once someone already gained root, but not allowing the installation of a stealth rootkit is never bad.