SERVER-124960 enabled probabilistic blind writes (WT cursor overwrite=true) on DSC standbys. Today the policy is chosen at multiple call sites:

• KVEngine::chooseBlindWritePolicy (cross-layer entry from oplog applyContainerOperations)
• WiredTigerRecordStore: wtDeleteRecord, wtUpdateRecord, _insertRecords, Oplog::_insertRecords
• WiredTigerIndex: insert, unindex (with !isIdIndex() guard)

Current safety properties:

• DisaggregatedPersistenceProvider::shouldUseBlindWriteWhenSafe returns false on primaries (canAcceptWritesForDatabase == true).
• chooseBlindWriteOverwrite consults that gate before sampling, so primaries always end up choosing non-blind today.

The goal of this ticket: harden against a future PersistenceProvider/engine bug ever choosing blind writes on a primary, on a write that would otherwise have been non-blind. Two implementation options:

1. Invariant inside chooseBlindWriteOverwrite itself (and/or KVEngine::chooseBlindWritePolicy). One central place; covers all
current and future call sites.
2. tassert at every cursor-open site that resolves the policy (the 6 WT-internal ones + the *Ident paths). More explicit per-site, but duplicative.

Option 1 is the central place to enforce the invariant once. Decide based on what "primary" check is cheap enough for the hot write path.

Acceptance: any caller, anywhere, that resolves the blind-write policy to BlindWritePolicy::blind on a primary triggers a fatal/test failure rather than silently corrupting data.