In the context of Osquery my understanding of the EndpointSecurity Framework is that it's a migration path for security vendors currently reliant on a kernel extension. For Osquery that means possibly revising all of the evented tables and adding more, or probably even better, creating a dedicated

mac_endpoint_security_events

table for these events with an additional configuration file that allows you to control which 16/44 available event topics you want Osquery to subscribe to.