If you set the IWDG to start using the option byte, the watchdog cannot be disabled subsequently. Am I right that
a) the prescaler can be modified
b) the counter itself can be reloaded
Item b) would be a vulnerability, surely, because faulty code could for ever prevent the watchdog tripping.
How is the counter able to be reloaded a vulnerability? Isn't that sort of required, unless you want the chip to reset all the time? If someone can get faulty code onto the chip, you've already lost. Typically the reload is done in a main loop so that if IWDG is being reloaded, you know the main loop is running, which causes a good number of bugs to stall IWDG and reset the chip.
WWDG is a bit more restrictive, but has drawbacks as well.