module Test (hook) where

import System.IO.Unsafe

{-# ANN hook (unsafePerformIO (putStrLn "Woops.")) #-}
hook = undefined

➜  Test ghc -fpackage-trust -XSafe Test_simple.hs 
[1 of 1] Compiling Test_simple      ( Test_simple.hs, Test_simple.o ) [flags changed]
Woops.

Test_simple.hs:4:1:
    System.IO.Unsafe: Can't be safely imported!
    The module itself isn't safe.

GHC ultimately rejects the program due to the System.IO.Unsafe import, but this check doesn't occur until GHC has compiled and run the annotation expression, allowing arbitrary IO operations via unsafePerformIO.

The solution is probably to move the import check from the end of renaming/typechecking to the start.