I wonder which option OP is implying is an issue. Either functionality is perfectly valid software engineering.
I for one prefer to keep asserts in production code to fail fast. Depending on the language and domain of the program you may or may not catch them with logging to keep the program running.
Using assertions to validate malicious input is not a valid software engineering choice, unless one can guarantee that the assertions will always be active in the production code.
I for one prefer to keep asserts in production code to fail fast. Depending on the language and domain of the program you may or may not catch them with logging to keep the program running.