Does the current Pin forbids us from doing something like that? It looks to me like Foo is never moved after the pin is constructed, yet its destructor is never called.
In my experience, code that relies on destructors being run for safety need to have an unsafe fn new method (or maybe the unsafe comes from the link/foo method itself in our instance?), and use a macro to ensure no trick like the ManuallyDrop can be played. In my example implementation, that would mean I would probably have to further wrap my LinkedFoo in a Pin and give only access to that Pin via a macro in order to ensure that LinkedFoo cannot be mem::forget or put in a ManuallyDrop. We probably ought to document this pattern somewhere.