I could very easily be mistaken that the checkbox in (now as of Ventura) System Settings isn't actually defaults (or otherwise) directly read-able

your saying there is no plist that can be read to figure out the state of that checkbox?

All detection methods I've heard of so far have been unable to directly detect this without shelling out to the wonderfully unreliable softwareupdate binary https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ /cc @frogor

There was a private framework I used in Launcher once that was reading all those checkboxes. @seph might know if it still works.

Alternatively could check the os version and compare it against https://gdmf.apple.com/v2/pmv, and

PostingDate

... and if the latest update for the OS has been out > x days, and its not installed, let me know etc. For my use case, I just need to know that updates are being regularly applied - doesn't matter to me if it is set to autoupdate or not. (though it would be ideal if it was)

I don’t remember which ones groob wrote, but Kolide Launcher has a handful of tables for macos security updaters. Some use internal frameworks. It’s all a bit unclear.