The scenario you described is exactly how I host my sites now (Debian on DO).
I've seen numerous engineers advocate for letting the app crash (or at least gracefully shutting it down), capturing the error, and restarting. Errors crash the Node process by design after all. Perhaps it's not as prevalent as it used to be, but it was certainly considered acceptable and even desirable for a time to let the app crash and restart it with pm2, forever, etc. since an error could leave the app in an unknown state.
citizen has a config option for keeping the app running or exiting the process in the event of an error, so it's up to the dev.