The bytes helper module contains multiple public functions (into arr4(), into arr2(), u8 from le bytes()) that use slice.get unchecked(pos..pos + N) without verifying that pos + N <= slice.len(). These are public safe API functions, allowing any caller to trigger undefined behavior by passing invalid positions.

For example, calling into arr4(&data, 10) where data is a 3-byte slice causes an out-of-bounds access since position 10 exceeds the slice length.