Maybe there's something about your use case where the potential performance difference between a kernel driver and FUSE driver is hugely relevant and outweighs the security problems.
For me, the use cases for NTFS in my Linux-centric life are all fraught with trust issues when it comes to knowing what's in that filesystem isn't malicious and about to exploit a kernel fs driver bug for unfettered ring-0 execution.
It's less of a concern with filesystems you initialized from your host, on devices permanently attached to said host, with a clear chain of custody, accessed purely from the trusted environment. There's a lot of implicit trust when it comes to mounting filesystems with a kernel driver, the kernel fs devs aren't shy about admitting there's significant trust assumptions throughout those drivers - they aren't exactly hardened against malicious input, and they aren't isolated processes like w/FUSE.
Personally when a box has a sensitive enough use case (e.g. secret storage hosts) that attacks via the local filesystem are a design concern I simply don't include either FUSE or additional filesystem modules nor do I plan on mounting additional storage after boot. I configure everything with minimal possible surface regardless of if it could be constructed with more convenience.
I suppose some people may treat every box with that level of security profile but I don't think it should come as much of a surprise that level of hardening is not the normal use case considered when new drivers are staged in the kernel tree.
> Maybe there's something about your use case where the potential performance difference between a kernel driver and FUSE driver is hugely relevant and outweighs the security problems.
The idea of handling I/O errors is pretty recent in most Linux file systems, I don't think security concerns are much of an issue with adding another file system - the kernel is probably full of easily exploitable holes anyway.
For me, the use cases for NTFS in my Linux-centric life are all fraught with trust issues when it comes to knowing what's in that filesystem isn't malicious and about to exploit a kernel fs driver bug for unfettered ring-0 execution.
It's less of a concern with filesystems you initialized from your host, on devices permanently attached to said host, with a clear chain of custody, accessed purely from the trusted environment. There's a lot of implicit trust when it comes to mounting filesystems with a kernel driver, the kernel fs devs aren't shy about admitting there's significant trust assumptions throughout those drivers - they aren't exactly hardened against malicious input, and they aren't isolated processes like w/FUSE.