Should we make autorelease pools `unsafe`?

[madsmtm]

Currently, objc2::rc::autoreleasepool is safe, which means that pointers that are placed into a pool does not (and cannot) have known lifetimes. This pushes the safety requirement of ensuring that the lifetime of references is bound to the innermost pool onto Retained::autorelease.

But maybe we should invert that, and instead make objc2::rc::autoreleasepool unsafe and Retained::autorelease safe? This would in turn remove a safety requirement from NSString::UTF8String (now you only have to ensure that the string isn't mutated), and would allow immutable classes like NSURL to return &NSString instead of Retained<NSString> from various accessor methods (though we might be able to do that in certain cases anyhow?).

It would have unfortunate knock-on effects though, as callbacks and blocks that are invoked inside an autorelease pool would now no longer be safe, and figuring out which ones do and don't do this would be arduous work.

See #86 and #540 for prior discussion on autorelease pools.

This also affects #810: implementing Index like Swift does is made harder by this, because Index requires us to return an &-reference, which we can sometimes only do if we autorelease the pointer.