User Profile

Before the system extension was introduced a common approach was - using a daemon process together with a kernel extension (kauth/nke etc). But now there are more options:1) we can call the new API(Endpoint Security) directly from the daemon process without any system extension at all.2) we can implement in the system extension only event subscription while doing actual processing in the daemon process.3) implement all daemon code in the system extension.It looks like all this approaches are correct. What are the best practices for the system extension? I am especially interested in cases 2 and 3. Are there any restrictions for the third approach (file/sockets access etc)? Do we need to implement the system extension as small/smart as possible while implementing actual processing into the separate process?