How would the attacker cause one of these modules to get loaded without already having root?
Trivially. Kernel modules autoload through various unprivileged mechanisms.
Trivially. Kernel modules autoload through various unprivileged mechanisms.