For some time now, Apple has required those developing kernel extensions to obtain special security certificates for their KEXTs. In April this year, for Mojave and Catalina, kernel extensions have also had to be notarized, which ensures that Apple has checked each of them for malware as well.
Main security checks therefore have to be performed when you first install a kernel extension. If it was signed from April 2019 onwards but hasn’t been notarized, Mojave and Catalina will refuse to accept it, and although in some circumstances you might be able to work around that (in Mojave at least), in most cases that is and should be a show-stopper. It means the kernel extension hasn’t been checked for malware by Apple, and you simply shouldn’t trust it: contact its developer and remind them of Apple’s security rules.
Even when it has been notarized and passes Catalina’s security checks, you still have to add it using the General tab of the Security & Privacy pane – what Apple terms User-Approved Kernel Extension Loading. Although Catalina tends to bombard you with alerts and prompts when installing and first running some software, this is one of the more important, and needs particular care.
Catalina was to have introduced a further change to the installation of kernel extensions, which required the Mac to restart after the user had approved an extension, before it could be loaded. This was present in most betas, but was removed shortly before 10.15 was released, and it’s unclear whether this applies to the release version, will be re-instated in a future update to Catalina, or has been abandoned altogether. Hopefully Apple will clarify this soon.
Once a kernel extension has been built into the prelinked kernel, the latter needs System Integrity Protection (SIP), to ensure that nothing else can tamper with its contents. In Catalina, that not only means setting permissions and applying SIP, but storing it on the read-only System volume.