It works because the type (char (buf)[n]) knows the dynamic size 'n'. So the compiler can simply add the bounds check to an array access (buf)[i] if instructed to do so.
The safety story is not complete though: If you pass the wrong size to 'foo' this is not detected (this is easy to add to compilers and I submitted a patch to GCC which would do this): https://godbolt.org/z/T8844e1z8
(ASAN still catches the problem in this case, but ASAN does not work consistently and has a high run-time overhead.)
I never knew that you got runtime bounds-checking with VLAs.
Do you have a link that explains this snippet in more detail? Why/how does it work?
It doesn't appear to work with non-VLAs though.