I agree the wording is a bit strange, but a quick grep of the repo shows that it doesn't imply that.

The only usages of unsafe are in src/ffi, which is only compiled when the ffi feature is enabled. ffi is fundamentally unsafe ("unsafe" meaning "the compiler can't automatically verify this code won't result in undefined behavior") so using it there is reasonable, and the rest of the crate is properly free of unsafe.

It provides a libxml2-compatible C API and that accepted pointers, this would seem to necessitate unsafe at least.

Yeah I'm a bit confused because you can have an entirely unsafe code base with just the public interface marked as safe. No unsafe in the interface isn't a measure of safety at all.