Pre-RFC: Rust Safety Standard

In addition, I have added the Principle of Least Unsound Scope to emphasize that unsafe code should be confined to the smallest scope necessary, with safety enforced as early as possible.

@hxuhack

Whether this is a good idea is much-debated.

It is often not actually considered beneficial to constrain unsafe {} to the smallest possible scope if there are multiple successive unsafe operations, because often temporarily-broken invariants that must be restored for soundness before leaving the larger scope (e.g. the function) may be broken early in that scope, and only restored after all the unsafe {} operations. In this case, using multiple small unsafe {} is possible syntactically in the language but can be misleading as to where the unsoundness risks live and when what obligations are discharged.