Yep, sure can. Assets is just another directory on the filesystem of the device. Permissions are enforced on those based on the underlying Linux permissions model, so anyone with access to root on the device can access anything on it.

There is an in-depth discussion of how the assets of applications are isolated/protected, as well as a discuss about how root can access them and how you can protect against this, in Application Security for the Android Platform (disclaimer: I’m the author of this book). Basically, if you’re concerned about root having access to files within your application, you’re going to want to encrypt them so even if root can get to them, they will not be readable. This approach has a lot of its own implementation problems, all centered on how you manage the keys used to encrypt/decrypt the files. While there are things you can do to make it much more difficult for someone with root to get as your application’s files, you cannot make this impossible as root users have full control over the device and everything on it.