Since the unsafe APIs directly interface with memory directly, they can bring the whole Rust application and/or put it in unknown state by messing up memory.
> Since the unsafe APIs directly interface with memory directly
I'm not sure I follow this. Are you saying the unsafe APIs somehow treat memory differently than any other C API that has been wrapped with a safe C wrapper?
In any case, I'm saying their current unsafe wrapper can sit under another layer, which provides a safe API. Of course, if there's a bug somewhere in the lower layers, it could still be unsafe, but that's true of all C bindings.
How could they "patch" that with a wrapper?