Thanks everybody. Good input. Sounds like this is something people really haven't seen happening.
Probably I'm not going to add extra WDT functionality, mainly for cost reasons (50-70 cents is significant to to the hardware budget). I'll use the built in IWDT peripheral while the code is running and the have the RTC running from the low-speed RC oscillator wake the device up periodically so that it can reset all the registers and then go back to standby. There is ESD protection and I'll probably add some slight filtering to the wakeup generating signals to reduce spurious wakeups due to EMI (in my experience the transition from sleep to running and back again is an area where strange bugs can manifest).
We are spending a bit of effort on FW validation because this isn't an IOT device. It's once&done programming-wise. And the user base is definitely not the kind to even want to consider this device has a computer in it. They're not us
. Fortunately the firmware isn't that complex and I'm trying to use reasonable deeply embedded programming ideology (self-test, minimal interrupts (2), non-blocking code, static memory allocations, stack analysis, timing analysis, small modules, state-machine based decision making, some run-time state/value validation, etc). I'm even thinking of some sort of fuzzing hardware test for the device going in and out of standby.