Overall I'm happy with the proposal. One thing that concerns me though is moving the FAB auth manager into a separate provider. That auth manager will need to be able to hook into the db migration tooling, and we don't expose that to providers or plugins today. So if we do want to move it, we have to account for that as well.
I feel the vast majority of the benefit here comes from being able to sub in another auth manager, but having the FAB one "not in core" isn't all that consequential at the end of the day. It would keep the strict version requirements of FAB in core though - pick your poison I guess :)