Using `unsafe`

Unconditionally guarantee safety, or mark API as unsafe`unsafe`. [FIXME: needs RFC]

Memory safety, type safety, and data race freedom are basic assumptions for all Rust code.

APIs that use unsafe`unsafe` blocks internally thus have two choices:

The result is that a client program can never violate safety merely by having a bug; it must have explicitly opted out by using an unsafe`unsafe` block.

Of the two options for using unsafe`unsafe`, creating such safe abstractions (the first option above) is strongly preferred.