Consider if `future::cancel` should be safe by default

[kammce]

Safe by default means that cancellation only occurs if the context is in an acceptable state to be cancelled. For example, blocked by I/O and external are probably unacceptable to cancel because IO may be writing to a resource currently held by the coroutine frame. Destroying the frame but allowing that coroutine stack memory to be reused by other coroutine frames would be disastrous. Blocked by external would also be a lifetime violation because some external coroutine scheduler/executor is expected to resume our coroutine and if they do so and our frame has been destroyed, we'd get UB. Being blocked by nothing is the perfect time to be cancelled. Being blocked by time and sync are also acceptable to be cancelled.

Calling cancel() would cancel if the state is cancellable or simply return. To be assured that the cancellation went through, the is_cancelled() API can be called. We could also provide a sync_cancel(). A better name combo would be try_cancel(), which attempts to cancel the operation, and cancel(), which performs a synchronous operation of waiting until the coroutine is cancelled before returning.