Any other choice just results in "well I'm sure it's not actually UB so I'll just use unsafe" -- we already fight that for things like UTF-8 validation, so I really don't want to make it any worse. This is one of the reasons that MaybeUninit is so good, because it focuses the unsafe just to the one thing that actually needs it. Making uninitialized memory isn't unsafe. Writing to uninit memory isn't unsafe, nor is using that initialized memory in the same branch (assuming you used MaybeUninit::write or Box::write or similar). The unsafe is only for the spot that really can be UB, when you're asserting that it's initialized.
To quote myself,
Today's
unsafeis distinguished because if violated you can't trust what you see -- telemetry might be wrong, checks that you see might not happen, etc. That's very different from correctness issues, where the code might be wrong but at least you can debug it, check logs, etc.
What's your proposed rule for what should be unsafe?