Nothing prevents you from doing both approaches. I mean, while Mozilla is increasing Rust usage, they're also rolling out more extensive sandboxing.
Either of those by themselves are not a good enough solution though. Just trusting on Rust means you are vulnerable to Rust bugs or logic errors. Just trusting on sandboxing means you're hoping that your trusted code (written in C/C++) doesn't have any security bugs.
Indeed, though trusting unsafe blocks in Rust is more tractable than trusting an entire C/C++ codebase due to the fact that unsafe blocks present a drastically reduced auditing surface.
That's the contention, yes. In practice currently there is an incredible self-selection bias with respect to how tractable that position is if (when?) Rust becomes more widely used outside the circle of the True Faithful.
Sure, but the question is how wide the "unsafe" boundaries are.
If I'm writing an application that uses the network in a standard way, I should be able to write a program with NO unsafe blocks.
As always, things have bugs. Rust, itself, may have bugs that get exposed over time once adoption starts to increase. Rust gets some "security through obscurity" for the moment.
Once they start pushing Rust code into Firefox, that will change dramatically.
Either of those by themselves are not a good enough solution though. Just trusting on Rust means you are vulnerable to Rust bugs or logic errors. Just trusting on sandboxing means you're hoping that your trusted code (written in C/C++) doesn't have any security bugs.