According to the threat model, loaded code is trusted. What I want to know is, if a vulnerability is requireing monkey-patching to bypass the permission model, is it still recognized as a valid vulnerability? The response will direct my security research, thank you.

Most of the time, yes. If you find a way to use the official require('fs') module to bypass the capabilities imposed by the permission model, it is likely to be accepted. Important to note it should not be recognized as known limitation in https://nodejs.org/api/permissions.html#limitations-and-known-issues

Thank you, I see.