Lack of `mut` in bindings as a deny-by-default lint

One reason we keep certain things as hard errors rather than lints: it establishes a baseline that you can safely assume about other people's code, since it can't be turned off. And as a result, that baseline can become part of people's mental model of Rust itself, rather than something that might or might not be true in any given codebase.

We have to take care to not use that lightly, because that places work on all users of Rust to maintain code to that baseline. But there are cases where we do. We don't allow using one integer type where another was expected. We don't allow certain operations outside an unsafe block. We don't allow mutating operations without mut.

Also, note that the reverse (unnecessary mut) is a lint. So you can always err on the side of leaving mut in as you refactor, and you'll get warnings rather than hard errors.

I think the standard we should apply is asking whether something is part of the baseline that people should be able to assume about all Rust code, and if that's worth the tradeoff of requiring that baseline of all Rust users.