This module allows you to create “virtual video devices”. Normal (v4l2) applications will read these devices as if they were ordinary video devices, but the video will not be read from e.g. a capture card but instead it is generated by another application.
I’d assume that this is something that can be most-easily bypassed at the browser level if a site can request access to a camera.
I don’t think that any trusted-to-the-camera hardware stack exists today.
But at an OS level…
I dunno about Windows, but Linux can do virtual video-4-linux devices, which is probably how the OS exposes a camera to a browser on Linux.
https://github.com/v4l2loopback/v4l2loopback