Comment by andrewaylett

C has always considered that the programmer knows what they are doing. Programs are assumed correct unless proven invalid.

This is -- or at least was -- a feature, not a bug. You can implement any valid program, but you can also implement some invalid programs.

I know the OP mentioned Rust, but it's a valid comparison: if you don't invoke "unsafe" then all your behaviour is well-defined. But the trade-off is that Rust will only let you implement a subset of valid programs unless you invoke "unsafe", which might be better termed "assumed correct".