safe_primitive(?Goal) is nondet[multifile, library(sandbox)]
True if Goal is safe to call (i.e., cannot access dangerous system-resources and cannot upset other parts of the Prolog process). There are two types of facts. ISO built-ins are declared without a module prefix. This is safe because it is not allowed to (re-)define these primitives (i.e., give them an unsafe implementation) and the way around (redefine_system_predicate/1) is unsafe. The other group are module-qualified and only match if the system infers that the predicate is imported from the given module.
 sandbox:safe_primitive(+Goal) is semidet[multifile, library(pengines_sandbox)]
Declare the core pengine operations as safe. If we are talking about local pengines, their safety is guaranteed by the sandboxing done for all pengines.
To be done
- If at some point we allow for `unsafe' pengines, we must reconsider this.