Make `decodeUtf8With` fail explicitly for non-BMP repl-chars

This is long-standing issue's existence goes back to `text-0.10`.

This commit is a short-term stop-gap measure turning unsafe undefined
behaviour into an explicit `error` exception (and thus fail
non-silently) which given the longevity of this issue seems to be a
sensible course of action. This commit includes a lengthy source code
comment explaining the issue as well as potential strategies for
future work on maximising the definedness of `decodeUtf8With`,
i.e. support the full range of replacement-characters. This future
work which will be tracked by gh-213.