It's stated in the docs about potentially unsafe operations in the upgradeable contract instances:
There is, however, an exception. If the direct call to the logic contract triggers a
selfdestructoperation, then the logic contract will be destroyed, and all your contract instances will end up delegating all calls to an address without any code.
Would it help to secure the
selfdestruct or any other unsafe operations if we had the functions running these unsafe operations by adding a
onlyOwner modifier to them? In this case, only the owner can call the selfdestruct either from the proxy or directly on the contract instance?