Comment by pornel

The idea behind the safe/unsafe split is to provide safe abstractions over code that has to be unsafe.

The unsafe parts have to be written and verified manually very carefully, but once that's done, the compiler can ensure that all further uses of these abstractions are correct and won't cause UB.

Everything in Rust becomes "unsafe" at some lower level (every string has unsafe in its implementation, the compiler itself uses unsafe code), but as long as the lower-level unsafe is correct, the higher-level code gets safety guarantees.

This allows kernel maintainers to (carefully) create safe public APIs, which will be much safer to use by others.

C doesn't have such explicit split, and its abstraction powers are weaker, so it doesn't let maintainer create APIs that can't cause UB even if misused.