I see a well working watchdog as good engineering. A safety feature that should not be needed but is there anyway just in case.

While the hope is that I will never need it, I expect it to work unless the board is toast. When people buy hobby equipment, they may be able to just cycle power if their equipment locks up. But if the equipment is located in a vehicle on another continent, or maybe far from the closest usable road, the cost of a hung unit can be extremely high. If a customer needs to spend hours and use a bandwaggon to visit the installation, I don't want any power cycle to solve their issue. I want them to find a melted antenna cable, or some other major and "interesting" major mishap outside my control.

I don't think I can remember the last time I saw a watchdog reset happen, except for test-bench/factory test setups where the code intentionally don't kick the watchdog, or I have just written some new - and broken - code that doesn't kick. Even better is that I can't remember any device that have hung and not being reset by the watchdog. The closest I have had, is devices that have entered power-save states at unplanned times because of unexpected input signals not being "compatible" with used sw-based filtering logic.

And good/bad practice aside they are sometimes required, or the equpment can't be certified.