I’m afraid safe mode only disables front-end code and not server-side stuff (which catches most things, but not everything) so it could still be a plugin. The most likely one is the allow-pms-to-staff as it’s the only non-official one in the list. You could try removing it from your app.yml and rebuilding to see if that is indeed causing the issue?
There was a report of it needing a fix for something else recently, though it may be unrelated: