I looked into writing an http server based on iouring myself, but all the resources I could find said iouring is less safe from a cybersecurity perspective.
Is there a safe way to use iouring for a webserver, or is libuv the better way to go, even though it has less performance?
A webserver shouldn't be calling io_uring internals without doing its own bound checking and http logic, nor should it be calling io_uring with remote-controlled crafted fd's or access pattern that might still have bugs in them.
At the level you'd be exposing io_uring (internals) via external http requests; it's security is perfectly fine.