Comment by btown

I think it's an exaggeration to say that it's impossible to keep local AV databases up to date in a meaningful way.

Use compressed probabilistic data structures and ship minimal diffs to save bandwidth and storage; you can fall back to phoning home if there's a possibility of a collision with a known-bad hash. Apple's solved push messages at scale; it could piggyback an update mechanism on that, or use the techniques Dropbox uses to notify about file updates. It can do this at the OS level so there's no threat of a user process not being active to pull updates. And the check is already soft-failing (per the OP) so it won't break if the system is offline, so they're already not caring about threats that are so new, they were found while the computer was offline.

You need to solve a lot of timing diagrams and race conditions (and, if we're being snarky, maybe it's for the best that Apple isn't trying to do this!) but it should be doable.