My current problem with rust is the dependency hell. Hundreds of sub dependencies for every top level one. Yes some of them are super common like serde or rand, or oddly some crate that seems to be just to create directories on the filesystem?! A blessed subset of crates is what I was counting on to save the day, but when something like tonic brings in 100 or so fine grained one-off sub dependencies I don't think that can work. Right now I am just plugging my ears saying "my code is memory safe and I am fearlessly concurrent!" But I am thinking "what horrible thing is lurking in the depths of my dependency tree and which state actor put it for later?" If that seems paranoid look at the recent issues with pypi malicious packages. I know I can roll my own, but that cost money, and if tokio or tonic didn't exist, and crates wasn't so darn easy to use, maybe google would have made a monolithic grpc crate instead?
In large projects other developers usually perform code reviews.
And even if not, there's a higher chance someone else will notice some sketchy code while working nearby.
