I suspect that having a granular level of specifying safe/unsafe is the wrong approach. Doing it at the module level is easy to understand, and has the side effect of encouraging better modularization of safe/unsafe code.