Personally I think that Neutron strives to use as little Linux networking (bridges, veth pairs) as possible. If it were not for the iptables-based security groups, not even qbr-s (which are currently Linux bridges) would exist. I think that is where OVN is headed, a pure-openvswitch, full-featured virtualized networking.

Speaking about the userspace crossing, you surely know that in OpenvSwitch only the first packet in a flow hits the user space. Based on that one, a datapath flow is created in kernel space and all subsequent traffic matching the flow goes directly through kernel space. If you haven't tried already, look closer at ovs-dpctl, particularly the show and dump-flows subcommands. I'm sure you will find any flow that passes through the patch ports there.