Pre-RFC: Unsafe traits conditionally depending on safe trait behaviour

CAD97:

Imo, having e.g. #[marker] unsafe trait UseAllocator: Allocator + Clone to mark clones that correctly share the allocator is honestly reasonable. It's a difference between #[unsafe(satisfies_preconditions(Allocator))] on the Clone impl (which now can't be derived) or an unsafe impl for UseAllocator. The former doesn't seem much better than the latter to justify the new mechanism for marking impls as fulfilling safety guarantees.

We have an existing way of expressing this kind of contract. Given that the Clone and Allocator impls for a type can come about completely independently via generic impls involving other traits defined in independent crates, I don't see how we can reasonably check in a local way that all involved Clone impls have the needed attribute.

Maybe we should have nicer syntax to define and use such traits, but they do look like fundamentally the right mechanism to me.