Why are namespaced sysctls not all safe in kubernetes?

for sysctl configuration, why is there safe and unsafe group? if sysctl is namespaced, then it shall be safe. and pod (container) sysctl can be set independently since they are in independent namespace.

So the question is why those namespaced sysctls are grouped into unsafe group?

Thanks,
Ryan