are these threads spawned by the driver (PsCreateSystemThread) or by the EXE application (which, afaik, as elevated privileges and has access to some ring-0 memory pages such as the IDT & the Xprotector driver).

Perhaps you could look into patching the driver directly or hooking PsCreateSystemThread.