You don’t have to be in the same function as the setkom; you just have to be in a frame that’s deeper in the stack, or the same frame

The point about memory safety is really this: if I allowed you to longjmp but did not guard it adequately then you could escape the Fil-C capability model, and then all of Fil-C’s bets would be off. I can’t have that ;-)