manual modprobing yes, autoloading by the kernel (e.g. by virtue of opening a socket of a certain type) no. but in recent pve-container versions, opening AF_ALG sockets is also forbidden via seccomp...
From what I gather, these modules have to either be in use, loadable through a user-level (not root) trigger, or already compiled default into the kernel to be exploitable in containers.
Doesnt the default confined apparmor profile for...
The key element of this post is the "live" aspect of it indicating restart is not possible. Trivial to set it in configs of course. This was a sensitive long-running job as intoned by my description. Could not be restarted.