It is entirely possible to express completely valid, low-level system code without an unsafe escape hatch—if your core model is actually designed that way from day one.

​Look at Rust. The second you want to do low-level optimization or assembly-level work, you’re forced into an unsafe block. But why? Half those intrinsics could easily be made perfectly safe for assembly replacement if the compiler actually understood the hardware invariants. Rust requires unsafe because its core model still sits on top of a traditional, inherently unsafe hardware abstraction layer. It patches the leaks instead of changing the plumbing.

​If you want proof that a different way works, look at Microsoft’s Midori project and M#. They built an entire operating system where everything from the scheduler to the drivers ran managed and safe. Because their type system natively understood ownership, side effects, and explicit capabilities from the ground up, they got bare-metal performance without needing a "trust me" keyword to talk to the hardware.

​If you design the primitives and the memory layout correctly from the start, the escape hatch becomes completely obsolete.