strike that, it's osquery that's not healthy. But I finally devised the right way to test it

SELECT CASE
           WHEN
                  (SELECT count(*)
                   FROM plist
                   WHERE path = "/Library/Application Support/com.apple.TCC/MDMOverrides.plist") > 0 THEN
                  (SELECT value
                   FROM plist
                   WHERE path = "/Library/Application Support/com.apple.TCC/MDMOverrides.plist"
                   AND KEY = "com.crowdstrike.falcon.Agent"
                   AND subkey = "kTCCServiceSystemPolicyAllFiles/Allowed")
            ELSE "couldn't read"
       END cs_fda_status;

1 means enabled, 0 disabled, NO RESULT means profile/matching key not present, "couldn't read" means no FDA for osqueryd itself

There are several ways to achieve this. Eyeballing it, this seems reasonable enough, though you can do it without subselects