@argv_minus_one @bean @aei Rust has a provably memory-safe subset by default. The fact that the programmer must first explicitly opt out of this subset with unsafe blocks has led to a culture among contributors to well-known projects written in Rust where the measure "fraction of source lines of code in an unsafe block" has become a target. Goodhart's law has something to say about that.
At least nudging projects toward the safe subset isn't quite as intense in Rust as in C#. Several .NET environments are configured to fail to load a third-party assembly if the bytecode parser detects a single unsafe block. In the past, these have included Silverlight, Xbox 360, and Windows Phone 7.