The "unsafe" in "unsafeWindow" is that it exposes the privileged GM* functions to the content page: and that page could in theory do something unsavory with them.
If you "@grant none" then there are no privileged GM functions (that's the whole point!), so that vector of unsafe-ness does not exist, so you don't need to worry about it. There's nothing to put in a sandbox.
You also use the ambiguous phrase "without @grant and GM_xx". I take that to mean: a legacy script that does not specify any @grant line, yet does call GM_ functions. In such a case, Greasemonkey detects and acts as if there was a @grant line (with all the same legacy sandboxing).
If your script gets privileged access, it lives in the sandbox that makes that safe. If it doesn't, then it doesn't.
SDK_INITIALIZE should be an event to retrieve rather than a promise object type.
SDK_INITIALIZE may be undefined so you'll not be able to use the .then() method when undefined as stated in the WMESDK Docs (check WME API DOCS also).
When trying to use window.SDK_INITIALIZE. Window it's Tampermonkey userscript window not WME Window.
To solve this with unsafeWindow brings Sec. concerns.
https://www.tampermonkey.net/documentation.php?locale=en#api:unsafeWindow
https://groups.google.com/g/greasemonkey-users/c/mow6fpWmIvE/m/OuJw0MYuGJoJ