diff --git a/src/sealed.rs b/src/sealed.rs
deleted file mode 100644
index a5f07c9..0000000
--- a/src/sealed.rs
+++ /dev/null
@@ -1,204 +0,0 @@
-//! Collections that never leak references to their content, and therefore can be safely accessed via shared references.
-
-use std::borrow::Borrow;
-use std::cell::UnsafeCell;
-use std::collections::{HashSet, VecDeque, hash_set, vec_deque};
-use std::fmt;
-use std::hash::Hash;
-
-/// FIFO queue that never leaks references to its content
-pub struct Queue<T>(UnsafeCell<VecDeque<T>>);
-
-impl<T> Queue<T> {
-    pub fn new() -> Self {
-        Self(UnsafeCell::new(VecDeque::new()))
-    }
-
-    pub fn with_capacity(capacity: usize) -> Self {
-        Self(UnsafeCell::new(VecDeque::with_capacity(capacity)))
-    }
-
-    pub fn push(&self, item: T) {
-        let inner = unsafe { &mut *self.0.get() };
-        inner.push_back(item);
-    }
-
-    pub fn pop(&self) -> Option<T> {
-        let inner = unsafe { &mut *self.0.get() };
-        inner.pop_front()
-    }
-
-    pub fn contains(&self, item: &T) -> bool
-    where
-        T: PartialEq<T>,
-    {
-        let inner = unsafe { &*self.0.get() };
-        inner.contains(item)
-    }
-
-    pub fn remove_all(&self, item: &T) -> bool
-    where
-        T: PartialEq<T>,
-    {
-        let inner = unsafe { &mut *self.0.get() };
-        let initial_len = inner.len();
-        inner.retain(|e| e != item);
-        inner.len() != initial_len
-    }
-
-    pub fn remove_if<F>(&mut self, mut pred: F) -> bool
-    where
-        F: FnMut(&T) -> bool,
-    {
-        let inner = self.0.get_mut();
-        let initial_len = inner.len();
-        inner.retain(|e| !pred(e));
-        inner.len() != initial_len
-    }
-
-    pub fn len(&self) -> usize {
-        let inner = unsafe { &*self.0.get() };
-        inner.len()
-    }
-
-    pub fn capacity(&self) -> usize {
-        let inner = unsafe { &*self.0.get() };
-        inner.capacity()
-    }
-
-    pub fn is_empty(&self) -> bool {
-        self.len() == 0
-    }
-}
-
-impl<T: fmt::Debug> fmt::Debug for Queue<T> {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        let inner = unsafe { &*self.0.get() };
-        inner.fmt(f)
-    }
-}
-
-impl<T> Default for Queue<T> {
-    fn default() -> Self {
-        Self::new()
-    }
-}
-
-impl<T: Clone> Clone for Queue<T> {
-    fn clone(&self) -> Self {
-        let inner = unsafe { &*self.0.get() };
-        Self(UnsafeCell::new(inner.clone()))
-    }
-}
-
-impl<T> IntoIterator for Queue<T> {
-    type Item = T;
-    type IntoIter = vec_deque::IntoIter<T>;
-
-    fn into_iter(self) -> Self::IntoIter {
-        self.0.into_inner().into_iter()
-    }
-}
-
-/// Unordered set that never leaks references to its content
-pub struct Set<T>(UnsafeCell<HashSet<T>>);
-
-impl<T: Eq + Hash> Set<T> {
-    pub fn new() -> Self {
-        Self::default()
-    }
-
-    pub fn with_capacity(capacity: usize) -> Self {
-        Self(UnsafeCell::new(HashSet::with_capacity(capacity)))
-    }
-
-    pub fn contains<Q>(&self, value: &Q) -> bool
-    where
-        T: Borrow<Q>,
-        Q: ?Sized + Hash + Eq,
-    {
-        let inner = unsafe { &*self.0.get() };
-        inner.contains(value)
-    }
-
-    pub fn insert(&self, value: T) -> bool {
-        let inner = unsafe { &mut *self.0.get() };
-        inner.insert(value)
-    }
-
-    pub fn remove<Q>(&self, value: &Q) -> bool
-    where
-        T: Borrow<Q>,
-        Q: ?Sized + Hash + Eq,
-    {
-        let inner = unsafe { &mut *self.0.get() };
-        inner.remove(value)
-    }
-
-    pub fn clear(&self) {
-        let inner = unsafe { &mut *self.0.get() };
-        inner.clear();
-    }
-
-    pub fn len(&self) -> usize {
-        let inner = unsafe { &*self.0.get() };
-        inner.len()
-    }
-
-    pub fn is_empty(&self) -> bool {
-        let inner = unsafe { &*self.0.get() };
-        inner.is_empty()
-    }
-}
-
-impl<T: fmt::Debug> fmt::Debug for Set<T> {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        let inner = unsafe { &*self.0.get() };
-        inner.fmt(f)
-    }
-}
-
-impl<T> Default for Set<T> {
-    fn default() -> Self {
-        Self(Default::default())
-    }
-}
-
-impl<T: Clone> Clone for Set<T> {
-    fn clone(&self) -> Self {
-        let inner = unsafe { &*self.0.get() };
-        Self(UnsafeCell::new(inner.clone()))
-    }
-}
-
-impl<T> IntoIterator for Set<T> {
-    type Item = T;
-    type IntoIter = hash_set::IntoIter<T>;
-
-    fn into_iter(self) -> Self::IntoIter {
-        self.0.into_inner().into_iter()
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use static_assertions::{assert_impl_all, assert_not_impl_any};
-    use std::{rc::Rc, sync::Arc};
-
-    #[test]
-    fn test_queue_is_send_but_not_sync() {
-        assert_impl_all!(Queue<usize>: std::marker::Send);
-        assert_not_impl_any!(Queue<Rc<usize>>: std::marker::Send);
-        assert_not_impl_any!(Queue<Arc<usize>>: Sync);
-        assert_not_impl_any!(Arc<Queue<usize>>: std::marker::Send, Sync);
-    }
-
-    #[test]
-    fn test_set_is_send_but_not_sync() {
-        assert_impl_all!(Set<usize>: std::marker::Send);
-        assert_not_impl_any!(Set<Rc<usize>>: std::marker::Send);
-        assert_not_impl_any!(Set<Arc<usize>>: Sync);
-        assert_not_impl_any!(Arc<Set<usize>>: std::marker::Send, Sync);
-    }
-}
diff --git a/src/sealed/mod.rs b/src/sealed/mod.rs
new file mode 100644
index 0000000..5a27967
--- /dev/null
+++ b/src/sealed/mod.rs
@@ -0,0 +1,8 @@
+//! Collections that never leak references to their content, and therefore can be safely accessed via shared references.
+
+mod queue;
+mod set;
+mod utils;
+
+pub use queue::Queue;
+pub use set::Set;
diff --git a/src/sealed/queue.rs b/src/sealed/queue.rs
new file mode 100644
index 0000000..3f6139a
--- /dev/null
+++ b/src/sealed/queue.rs
@@ -0,0 +1,121 @@
+use super::utils::UnsafeWrapper;
+use std::collections::{VecDeque, vec_deque};
+use std::fmt;
+
+/// FIFO queue that never leaks references to its content
+pub struct Queue<T>(UnsafeWrapper<VecDeque<T>>);
+
+impl<T> Queue<T> {
+    pub fn new() -> Self {
+        Self(UnsafeWrapper::new(VecDeque::new()))
+    }
+
+    pub fn with_capacity(capacity: usize) -> Self {
+        Self(UnsafeWrapper::new(VecDeque::with_capacity(capacity)))
+    }
+
+    pub fn push(&self, item: T) {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| inner.push_back(item)) }
+    }
+
+    pub fn pop(&self) -> Option<T> {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| inner.pop_front()) }
+    }
+
+    pub fn contains(&self, item: &T) -> bool
+    where
+        T: PartialEq<T>,
+    {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| inner.contains(item)) }
+    }
+
+    pub fn remove_all(&self, item: &T) -> bool
+    where
+        T: PartialEq<T>,
+    {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe {
+            self.0.with(|inner| {
+                let initial_len = inner.len();
+                inner.retain(|e| e != item);
+                inner.len() != initial_len
+            })
+        }
+    }
+
+    pub fn clear(&self) {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| inner.clear()) }
+    }
+
+    pub fn len(&self) -> usize {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| inner.len()) }
+    }
+
+    pub fn capacity(&self) -> usize {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| inner.capacity()) }
+    }
+
+    pub fn is_empty(&self) -> bool {
+        self.len() == 0
+    }
+
+    pub fn into_inner(self) -> VecDeque<T> {
+        self.0.into_inner()
+    }
+}
+
+impl<T> From<VecDeque<T>> for Queue<T> {
+    fn from(vec_deque: VecDeque<T>) -> Self {
+        Self(UnsafeWrapper::new(vec_deque))
+    }
+}
+
+impl<T: fmt::Debug> fmt::Debug for Queue<T> {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| inner.fmt(f)) }
+    }
+}
+
+impl<T> Default for Queue<T> {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl<T: Clone> Clone for Queue<T> {
+    fn clone(&self) -> Self {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| Self(UnsafeWrapper::new(inner.clone()))) }
+    }
+}
+
+impl<T> IntoIterator for Queue<T> {
+    type Item = T;
+    type IntoIter = vec_deque::IntoIter<T>;
+
+    fn into_iter(self) -> Self::IntoIter {
+        self.0.into_inner().into_iter()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use static_assertions::{assert_impl_all, assert_not_impl_any};
+    use std::{rc::Rc, sync::Arc};
+
+    #[test]
+    fn test_queue_is_send_but_not_sync() {
+        assert_impl_all!(Queue<usize>: std::marker::Send);
+        assert_not_impl_any!(Queue<Rc<usize>>: std::marker::Send);
+        assert_not_impl_any!(Queue<Arc<usize>>: Sync);
+        assert_not_impl_any!(Arc<Queue<usize>>: std::marker::Send, Sync);
+    }
+}
diff --git a/src/sealed/set.rs b/src/sealed/set.rs
new file mode 100644
index 0000000..5598a44
--- /dev/null
+++ b/src/sealed/set.rs
@@ -0,0 +1,115 @@
+use super::utils::UnsafeWrapper;
+use std::borrow::Borrow;
+use std::collections::{HashSet, hash_set};
+use std::fmt;
+use std::hash::Hash;
+
+/// Unordered set that never leaks references to its content
+pub struct Set<T>(UnsafeWrapper<HashSet<T>>);
+
+impl<T: Eq + Hash> Set<T> {
+    pub fn new() -> Self {
+        Self::default()
+    }
+
+    pub fn with_capacity(capacity: usize) -> Self {
+        Self(UnsafeWrapper::new(HashSet::with_capacity(capacity)))
+    }
+
+    pub fn contains<Q>(&self, value: &Q) -> bool
+    where
+        T: Borrow<Q>,
+        Q: ?Sized + Hash + Eq,
+    {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| inner.contains(value)) }
+    }
+
+    pub fn insert(&self, value: T) -> bool {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| inner.insert(value)) }
+    }
+
+    pub fn remove<Q>(&self, value: &Q) -> bool
+    where
+        T: Borrow<Q>,
+        Q: ?Sized + Hash + Eq,
+    {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| inner.remove(value)) }
+    }
+
+    pub fn clear(&self) {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| inner.clear()) }
+    }
+
+    pub fn len(&self) -> usize {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| inner.len()) }
+    }
+
+    pub fn capacity(&self) -> usize {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| inner.capacity()) }
+    }
+
+    pub fn is_empty(&self) -> bool {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| inner.is_empty()) }
+    }
+
+    pub fn into_inner(self) -> HashSet<T> {
+        self.0.into_inner()
+    }
+}
+
+impl<T> From<HashSet<T>> for Set<T> {
+    fn from(hash_set: HashSet<T>) -> Self {
+        Self(UnsafeWrapper::new(hash_set))
+    }
+}
+
+impl<T: fmt::Debug> fmt::Debug for Set<T> {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| inner.fmt(f)) }
+    }
+}
+
+impl<T> Default for Set<T> {
+    fn default() -> Self {
+        Self(UnsafeWrapper::new(HashSet::default()))
+    }
+}
+
+impl<T: Clone> Clone for Set<T> {
+    fn clone(&self) -> Self {
+        // SAFETY: `with()` is never invoked recursively
+        unsafe { self.0.with(|inner| Self(UnsafeWrapper::new(inner.clone()))) }
+    }
+}
+
+impl<T> IntoIterator for Set<T> {
+    type Item = T;
+    type IntoIter = hash_set::IntoIter<T>;
+
+    fn into_iter(self) -> Self::IntoIter {
+        self.0.into_inner().into_iter()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use static_assertions::{assert_impl_all, assert_not_impl_any};
+    use std::{rc::Rc, sync::Arc};
+
+    #[test]
+    fn test_set_is_send_but_not_sync() {
+        assert_impl_all!(Set<usize>: std::marker::Send);
+        assert_not_impl_any!(Set<Rc<usize>>: std::marker::Send);
+        assert_not_impl_any!(Set<Arc<usize>>: Sync);
+        assert_not_impl_any!(Arc<Set<usize>>: std::marker::Send, Sync);
+    }
+}
diff --git a/src/sealed/utils.rs b/src/sealed/utils.rs
new file mode 100644
index 0000000..3dbdedb
--- /dev/null
+++ b/src/sealed/utils.rs
@@ -0,0 +1,24 @@
+use std::cell::UnsafeCell;
+
+/// A (hopefully) zero-cost wrapper that simplifies working with unsafe code.
+pub struct UnsafeWrapper<T>(UnsafeCell<T>);
+
+impl<T> UnsafeWrapper<T> {
+    pub fn new(inner: T) -> Self {
+        Self(UnsafeCell::new(inner))
+    }
+
+    /// # Safety
+    /// Calls to `with()` can't be nested.
+    #[inline(always)]
+    pub unsafe fn with<R, F>(&self, f: F) -> R
+    where
+        F: FnOnce(&mut T) -> R,
+    {
+        f(unsafe { &mut *self.0.get() })
+    }
+
+    pub fn into_inner(self) -> T {
+        self.0.into_inner()
+    }
+}