I am just throwing an idea out, but I think it non-rigorously justifies marking freeze unsafe:
Give every initialized byte and primitive (scalar) value a new form of provenance "secrecy-provenance" (distinct from [and a component of] pointer-provenance) that is either:
demonic // = freeze(uninit))
general // existing values
Most operations would propagate this new secrecy-provenance (arithmetic, bit-ops, selection, casts, etc.). Some
would conditionally propagate it (vector masking, etc.). But some would cause UB when given values with demonic "secrecy-provenance" (I/O primitives, insecure_free operations, conditionals in near-crypto, etc.).
If we had a time machine, only the UB causing primitives would need to be unsafe. However, as some of these UB causing operations (I/O) are declared safe, as they are safe for all existing values, these new values must be introduced as unsafe-but-valid inhabitants, thus their creation operation (freeze) must be unsafe.
Of course, adding a new provenance type would require reevaluating all optimizations and make reasoning about generalized code harder, but I think it would be workable in theory.