OSqueryd (daemon) is based on SQLite and executes on node with root privilege Have osquery binaries been evaluated for SQL injection kind of attacks ? I understand it fetches data from virtual database , any possibility of dropping binaries and gaining root shell ( common pattern of SQL injection attacks ) ?

Yes, some vulnerabilities have been found in the past: https://github.com/osquery/osquery/security/advisories?state=published

Also, it doesn’t need to run as root if you’re on Linux if you aren’t using evented tables

It doesn't necessarily need to run as root on any system, but the capabilities will be limited based on the capabilities of the user.

Correct, it’s just much easier on Linux using capabilities (specifically CAP_DAC_READ_SEARCH)

Oh, interesting. I'd love to read a blog or any content to learn more about this!

Well, it’s not exactly a blog post but you can probably get the general idea from my issue https://github.com/osquery/osquery/issues/6121 and the man pages https://man7.org/linux/man-pages/man7/capabilities.7.html

Generally speaking, one does not expose osquery to untrusted parties. So sql injection isn’t the highest risk.