It's intentional that only versioned-based dependencies prohibit unsafe flags, but it seems like you're right that this isn't really documented anywhere.
As for the confusion, something like RFC: swift package publish-precheck was supposed to solve that, but unfortunately that hasn't materialized so far.