It looks like threat intelligence source indices are controlled with an ILM policy that has a hot tier max age of 1 day and delete min age of 2 days. So I guess while the data is duplicated for ~2 days, that is the best that can be achieved while using Elastic’s current approach.
Not too bad, but I still think there is room for improvement here. Specifically, it would be nice if the threat intelligence view respected the securitySolution:defaultThreatIndex setting or if the source indices did not use index names that match the logs-ti_* pattern.
For example: