You can continue to use apt and just reboot when your kernel package is updated.
If you don't want to reboot, then you can add livepatching.
It works with the existing kernel packages to fill the gap before you reboot. In other words, it's not a bypass for apt; it works in addition to it.
But livepatching doesn't cover all situations. Currently it's only high priority CVEs, and the article talks of situations where it's not possible at all. Given that apt is the fallback, I don't see how anyone could consider it to be lock-in.
If you don't want to reboot, then you can add livepatching.
It works with the existing kernel packages to fill the gap before you reboot. In other words, it's not a bypass for apt; it works in addition to it.
But livepatching doesn't cover all situations. Currently it's only high priority CVEs, and the article talks of situations where it's not possible at all. Given that apt is the fallback, I don't see how anyone could consider it to be lock-in.