There seems to be some flexibility in what can be done while iterating over a directory, for instance the current file can be read, and it can even be deleted.

However, some things must be prevented. E.g. in a setup like

.
├── a.txt
├── b.txt
└── c.txt

if c.txt is deleted while the iterator is at b.txt, there's a crash: thread 'fsc::tests::todo' panicked at 'slice index starts at 4294966960 but ends at 4096', src/libcore/slice/mod.rs:2680:5

The plan is then to have read_dir_and_then expose a RestrictedFilesystem, that e.g. might prevent Filesystem::remove (mark as unsafe, or remove method completely).

We do want to keep Filesystem::remove_dir_all for instance, though.