The UML kernel is mapped into the address spaces of its processes. Because of the performance impact of protecting kernel memory from userspace, it is mapped in writeable by default. In 'jail' mode (or 'honeypot' mode, which enables 'jail' if necessary), it is write-protected whenever the process is running in userspace.
There are some exceptions, some of which can be fixed but don't seem exploitable, and one of which (the kernel stack) is not fixable given the current capabilities of the host Linux, but is not exploitable.