Yes, you’re right f_value and f_len are also unsafe, I missed them, that’s why I’m preferring to rely on a type checker :))
And yes, if all unsafe definitions are consolidated in one of the two modules (e.g., in Bytes), then the definition will be accepted as safe, since at least one of two modules is safe (and neither Byte_array nor Bytes are, apparently, self-recursive - though the type checker will say if they are), so there is an initialization order that is safe.
@octachron, I wish the error message will also refer the actual sources of unsafeness.