> It's also a bit harder to debug an FFI wrapper in Rust when you tell the compiler your code is safe but then make a mistake in how you use the unsafe C api.

Can you elaborate on to how not having to type unsafe makes debugging of this easier?