I find this article weird because from an exploitation point of view external control of allocation is super valuable and having user controlled pages to land on is a big part of the game.

The safety of your memory model is not reliant on how it works when all the constraints are observed, but rather about the safety when one or more of the expected constraints are violated.

I'm not sure I understand what you're saying. It sounds like you're claiming that a static guarantee that you can't cause memory unsafety is insufficient for a memory model to be memory safe, but I suspect I've misunderstood.