I believe a boundary of capability is the app entitlement where osquery is continuing to be read-only ’in spirit’ whereas tools like Santa can set policies and use a full system extension and also look at file paths and volume mounts and such, in additional contrast to other tools that need entitlements to look at network traffic which are similarly extension-only