Determining @trusted-status

[Clarice via Digitalmars-d-learn]

It seems that @safe will be de jure, whether by the current state 
of DIP1028 or otherwise. However, I'm unsure how to responsibly 
determine whether a FFI may be @trusted: the type signature and 
the body. Should I run, for example, a C library through valgrind 
to observe any memory leaks/corruption? Is it enough to trust the 
authors of a library (e.g. SDL and OpenAL) where applying 
@trusted is acceptable?
There's probably no one right answer, but I'd be very thankful 
for some clarity, regardless.