a malware killing an extension might as well just kill osquery itself, so I don't think it changes much whether it's in core or not

yes i agree malware/hands on key board attacker can kill osquery/extensions i was referring to the osquery watchdog killing an extension in middle of collection while investigating a system with attacker activity or a malicious file installed

The kill will happen anyway, whether it's core or an extension; if it is an extension at least the core will keep running while the extension is restarted