Is it truly either-or? Obviously the root of anti-cheat needs to be totally locked down, aka the TPM. But almost all "open" computers have a locked down TPM. The TPM doesn't need to prevent you from running an unsigned firmware, kernel, modules or user software, it only needs to report on whether you are / have. You can reboot your computer into "trusted" mode and run your games with anti-cheat. Then when you're done playing you can as much unsigned software as you want.

You ask if it's either intrusive spyware or if it's a locked down system and then describe dual-booting intrusive spyware.

A TPM is entirely under your control. It's designed in such a way that you can't do certain things with data within it, but that's not because (at least in theory) someone else can and is controlling your TPM to prevent you from doing those things. The TPM, unlike an installation of Windows, doesn't only listen to Microsoft.

What I'm describing is exactly the situation now. Many people dual boot Windows & Linux, with kernel level anti-cheat on their Windows partition. The existence of Linux on the same computer does not prevent the kernel level anti-cheat from working on Windows.

Similarly, the presence of unsigned software on a computer would not stop a Linux kernel level anti-cheat from working, and the kernel level anti-cheat shouldn't prevent the unsigned software from working. Once you run that unsigned software, your machine is tainted similarly to the way your kernel is tainted if you load the NVidia driver.