WinAPI has nothing to do with security. Microsoft does not suggest using the Native API, that's why WinAPI exists. You can use Native API and other kernel facilities to do work, but you're risking it breaking if they ever change the Native API which has no promises of stability or backwards compatibility, which is why MS does not suggest targeting it. That's the whole reason WinAPI exists. Wine takes advantage of WinAPI's existence as a mere wrapper for a native OS API by just writing those APIs to work on Linux/macOS.

What (malicious AAA) games actually do to bypass the security of the OS is to install a kernel-mode driver, which would let anyone do anything on any OS and there's not really a good way to prevent that without just crippling your OS. Windows NT does require drivers to be cryptographically signed by an authorized entity before being loaded outside of a special OS dev/testing mode, but, you can get anything signed with enough money. Of course anything that comes with a kernel-mode driver is going to get a ton of pushback by the playerbase, as seen when Fallout 76 tried it.