* Mark public API functions as unsafe.
This marks the public hostcalls functions as unsafe.
This is generalizing from Rust's `from_raw_fd` function, which is
unsafe. The observation is that nothing prevents code using this
function from passing a bogus or stale dangling file descriptor and
corrupting an arbitrary open stream.
Technically, some of these functions don't use file descriptors, such as
random, clocks, and a few others. However I expect that in the future,
random and clocks will switch to using file descriptors anyway, and it
keeps the macro definitions simpler if we only have to handle one form.
* Mark WasiCtx functions that operate on file descriptors unsafe too.
* `fd_filestat_set_times_impl` doesn't need to be unsafe.
* Remove unnecessary unsafes
30a4f73cce