Critical Description
Safe time is the time after which replicas can serve snapshot reads.
Leaders should only advance the safe time as they commit an operation in their own term (the initial safe time should be the time of that initial operation) and replicas should only advance the safe time based on what the leader says.
If this is not the case then replicas can write to replica A (leader), get back 10 as a write timestamp and read from replica B which still hasn't replicated it and not see its own write. This can even happen while reading from just leaders if B was elected but hadn't yet applied all the previous writes locally.
The attached log provides an example of the latter case
