If you are using Particle pub/sub than I would expect you shouldn’t have any UDP related issues (and if its an electron, TCP isn’t even remotely a factor). I’m guessing your issues stem from something else.
I use a TPL5010 timer as an external watchdog. I don’t believe there is an accessible way to use the IWDG. The software watchdog can be helpful depending on your application, though! Much better than nothing.
I assume you are using Particle SIMs?
Can you at least share some pseudo code for the steps you are taking? When you say “lock up our app” and “shutdown/stop operations” those details could be important.
Regardless, my recommendation stands to try and make sure your code can handle OTA without safe mode (but also handle it with safe mode if something goes wrong). Why did you make the move to using safe mode? Essentially the device already puts itself into safe mode once you flash user firmware with a higher system firmware target.
Also, just so you know, the OTA process should be completely safe as far as upgrading through the different version thresholds. You can just flash user firmware with 1.4.1 and it will take care of everything for you. It’s just different for flashing locally / explicitly.