Tracking issue for ensuring `isValid` soundness

[joshlf]

See also: #3088

Currently, isValid is only enforced whenever there is a Hermes annotation. Un-annotated functions can violate isValid invariants. Since we don't have unsafe fields, Rust doesn't prevent modifying a field in such a way that violates type-level invariants. In particular, these modifications don't require unsafe, which in turn means they don't require a safety comment, which in turn means they don't require a Hermes annotation.

Once unsafe fields are stabilized, we can just require them. In the meantime, here is a roadmap to closing the isValid soundness gap without unsafe fields:

• Current state: isValid is not reliably enforced, so users must exercise care
• Require passing --unsound-is-valid to enable isValid annotations
• Permit module-level annotations without --unsound-is-valid
  • At the module level, so long as fields are private, Hermes can see all code that can read/modify fields which carry safety invariants
• Support unsafe fields once it's fully implemented in Rust
  • Tracking issue for RFC 3458: Unsafe fields rust-lang/rust#132922