if you ever write the words "unsafe" in a rust codebase, and you are not directly needing to poke bits on some hardware, you are doing it very, very wrong.
good link you shared. i personally always went with option 2 he presents.
This kind of dogmatism is why people think Rust will be impossible to adopt. All `unsafe` means is that the code inside the block doesn't have Rust's guarantees and should be inspected extra carefully by hand, much the same as you'd ideally inspect every single line of C. If sprinkling `unsafe` everywhere allows an organization to quickly adopt Rust's guarantees elsewhere and they're aware of that caveat (hard not to be given the naming) that can only be a net improvement over doing the entire thing in C.
You can always go through and systematically remove unnecessary `unsafe` later if needed, but there's no need to do so upfront if that would prevent adoption.
It's (much) more involved than using C++, but that's a worthwhile tradeoff for something as important as a browser engine.
More info: https://eli.thegreenplace.net/2021/rust-data-structures-with...