GDI dates back to the very first version of Windows, which was capable of running on the 8088 CPU in real mode. The concept of "userspace" was pretty weak, since the CPU didn't support protected mode. GDI obviously ran with full CPU privileges and was built-in to Windows, so "initially 100% userspace" doesn't make very much sense unless you only count MS-DOS as being non-userspace.
This is very much specific to NT's implementation. Originally they did the right thing and put it in userspace. Performance made them rethink that in NT 4. The NT story is most relevant since the vulnerable version in this story is a descendent of NT not of the DOS/Win 9X lineage. Windows NT is a from scratch rewrite.
You are correct GDI as an interface predates NT and protected mode in general, but the codebase used in NT is a different implementation.
