Thank you for these additional comments. The question was answered by monwarez, above.
In fact running with no modules at all is the safest.
ZFS has its own ko. Hardware drivers, some network interface capabilities like bridge, ... these items necessary to run the basics of a given system might require kernel modules. Running with no modules might be the safest, but it might challenge some of the assumptions about configuring a system. This is a good point. It seems to highlight the risks we accept as we initially configure a machine.
The situation that brought about my question was that I had some machines that were configured to require a kernel mod; if the machine's kernel was edited after that mod in a way that removed a kernel mod after boot, and then a program called a command which required the removed mod, the machine would page fault. Since I have observed this, and the machine was subsequently unresponsive after that page fault, I felt that this was an unsafe stop to the machine. This made me wonder about the behavior of machines with improperly edited configurations. Like, what if someone kldunloaded every item in kldstat? Could someone automate a crash by just unloading it all? I wondered.
If an attacker gains root, the war has been lost, so arguing what they can or can not do is pointless.
No. Systems can be defended against missteps and offensive actions by even the root user. For example, changes made by an admin might result in the automatic advisement of others in the same group. Just because an attacker gains root, it does not mean that everything has been lost. There is plenty that can be done in response to such an attack. My question was not about giving up all hope just because a big problem manifested itself.
As someone who has been programming for 35 years, I was aware that a root user could shut down the machine. I feel like I should mention that basic advice like being told root can shut the machine off was received as if it were a little bit condescending. It was kind of insulting to read that. Later, I began to realize that maybe some people would just give up if an attacker got root. Perhaps we can look beyond the abandonment of hope in the face of a catastrophic failure and recognize that there can be more which could still be done. The question was about kldunload safety. It has been answered. Thanks.