Using `unsafe`

Unconditionally guarantee safety, or mark API as unsafe. [FIXME: needs RFC]

Memory safety, type safety, and data race freedom are basic assumptions for all Rust code.

APIs that use unsafe blocks internally thus have two choices:

The result is that a client program can never violate safety merely by having a bug; it must have explicitly opted out by using an unsafe block.

Of the two options for using unsafe, creating such safe abstractions (the first option above) is strongly preferred.