diff --git a/CHANGELOG.md b/CHANGELOG.md
index bee5de0d7e..00f9418771 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,8 +26,12 @@ and this project adheres to
   `ConversionOverflowError` and `DivideByZeroError`. ([#1896])
 - cosmwasm-std: Add `SubMsg:reply_never` constructor ([#1929])
 - cosmwasm-std: Add optional memo field to `IbcMsg::Transfer`. ([#1878])
+- cosmwasm-std: Make inner values of `CanonicalAddr` and `Binary` private and
+  add constructor for `Binary`. ([#1876])
+- cosmwasm-vm: Make inner value of `Size` private and add constructor. ([#1876])
 
 [#1874]: https://github.com/CosmWasm/cosmwasm/pull/1874
+[#1876]: https://github.com/CosmWasm/cosmwasm/pull/1876
 [#1878]: https://github.com/CosmWasm/cosmwasm/pull/1878
 [#1879]: https://github.com/CosmWasm/cosmwasm/pull/1879
 [#1890]: https://github.com/CosmWasm/cosmwasm/pull/1890
diff --git a/MIGRATING.md b/MIGRATING.md
index 559581566c..f367462f30 100644
--- a/MIGRATING.md
+++ b/MIGRATING.md
@@ -69,6 +69,22 @@ major releases of `cosmwasm`. Note that you can also view the
   +Coin::new(1234u128, "uatom")
   ```
 
+- When creating a `Binary` or `Size` instance from an inner value, you now have
+  to explicitly call `new`:
+
+  ```diff
+  -Binary(vec![1u8])
+  +Binary::new(vec![1u8])
+  ```
+
+- When accessing the inner value of a `CanonicalAddr` or `Binary`, use
+  `as_slice` instead:
+
+  ```diff
+  -&canonical_addr.0
+  +canonical_addr.as_slice()
+  ```
+
 ## 1.4.x -> 1.5.0
 
 - Update `cosmwasm-*` dependencies in Cargo.toml (skip the ones you don't use):
diff --git a/contracts/crypto-verify/src/contract.rs b/contracts/crypto-verify/src/contract.rs
index 41fe879201..1a418cb8ef 100644
--- a/contracts/crypto-verify/src/contract.rs
+++ b/contracts/crypto-verify/src/contract.rs
@@ -34,9 +34,9 @@ pub fn query(deps: Deps, _env: Env, msg: QueryMsg) -> StdResult<QueryResponse> {
             public_key,
         } => to_json_binary(&query_verify_cosmos(
             deps,
-            &message.0,
-            &signature.0,
-            &public_key.0,
+            message.as_slice(),
+            signature.as_slice(),
+            public_key.as_slice(),
         )?),
         QueryMsg::VerifyEthereumText {
             message,
@@ -69,9 +69,9 @@ pub fn query(deps: Deps, _env: Env, msg: QueryMsg) -> StdResult<QueryResponse> {
             public_key,
         } => to_json_binary(&query_verify_tendermint(
             deps,
-            &message.0,
-            &signature.0,
-            &public_key.0,
+            message.as_slice(),
+            signature.as_slice(),
+            public_key.as_slice(),
         )?),
         QueryMsg::VerifyTendermintBatch {
             messages,
@@ -268,9 +268,9 @@ mod tests {
         let public_key = hex::decode(SECP256K1_PUBLIC_KEY_HEX).unwrap();
 
         let verify_msg = QueryMsg::VerifyCosmosSignature {
-            message: Binary(message),
-            signature: Binary(signature),
-            public_key: Binary(public_key),
+            message: Binary::new(message),
+            signature: Binary::new(signature),
+            public_key: Binary::new(public_key),
         };
 
         let raw = query(deps.as_ref(), mock_env(), verify_msg).unwrap();
@@ -290,9 +290,9 @@ mod tests {
         let public_key = hex::decode(SECP256K1_PUBLIC_KEY_HEX).unwrap();
 
         let verify_msg = QueryMsg::VerifyCosmosSignature {
-            message: Binary(message),
-            signature: Binary(signature),
-            public_key: Binary(public_key),
+            message: Binary::new(message),
+            signature: Binary::new(signature),
+            public_key: Binary::new(public_key),
         };
 
         let raw = query(deps.as_ref(), mock_env(), verify_msg).unwrap();
@@ -310,9 +310,9 @@ mod tests {
         let public_key = vec![];
 
         let verify_msg = QueryMsg::VerifyCosmosSignature {
-            message: Binary(message),
-            signature: Binary(signature),
-            public_key: Binary(public_key),
+            message: Binary::new(message),
+            signature: Binary::new(signature),
+            public_key: Binary::new(public_key),
         };
 
         let res = query(deps.as_ref(), mock_env(), verify_msg);
@@ -457,15 +457,15 @@ mod tests {
 
         let messages = [ED25519_MESSAGE_HEX, ED25519_MESSAGE2_HEX]
             .iter()
-            .map(|m| Binary(hex::decode(m).unwrap()))
+            .map(|m| Binary::new(hex::decode(m).unwrap()))
             .collect();
         let signatures = [ED25519_SIGNATURE_HEX, ED25519_SIGNATURE2_HEX]
             .iter()
-            .map(|m| Binary(hex::decode(m).unwrap()))
+            .map(|m| Binary::new(hex::decode(m).unwrap()))
             .collect();
         let public_keys = [ED25519_PUBLIC_KEY_HEX, ED25519_PUBLIC_KEY2_HEX]
             .iter()
-            .map(|m| Binary(hex::decode(m).unwrap()))
+            .map(|m| Binary::new(hex::decode(m).unwrap()))
             .collect();
 
         let verify_msg = QueryMsg::VerifyTendermintBatch {
@@ -487,18 +487,18 @@ mod tests {
         // One message
         let messages = [ED25519_MESSAGE_HEX]
             .iter()
-            .map(|m| Binary(hex::decode(m).unwrap()))
+            .map(|m| Binary::new(hex::decode(m).unwrap()))
             .collect();
         // Multiple signatures
         //FIXME: Use different signatures / pubkeys
         let signatures = [ED25519_SIGNATURE_HEX, ED25519_SIGNATURE_HEX]
             .iter()
-            .map(|m| Binary(hex::decode(m).unwrap()))
+            .map(|m| Binary::new(hex::decode(m).unwrap()))
             .collect();
         // Multiple pubkeys
         let public_keys = [ED25519_PUBLIC_KEY_HEX, ED25519_PUBLIC_KEY_HEX]
             .iter()
-            .map(|m| Binary(hex::decode(m).unwrap()))
+            .map(|m| Binary::new(hex::decode(m).unwrap()))
             .collect();
 
         let verify_msg = QueryMsg::VerifyTendermintBatch {
@@ -521,18 +521,18 @@ mod tests {
         //FIXME: Use different messages
         let messages = [ED25519_MESSAGE_HEX, ED25519_MESSAGE_HEX]
             .iter()
-            .map(|m| Binary(hex::decode(m).unwrap()))
+            .map(|m| Binary::new(hex::decode(m).unwrap()))
             .collect();
         // Multiple signatures
         //FIXME: Use different signatures
         let signatures = [ED25519_SIGNATURE_HEX, ED25519_SIGNATURE_HEX]
             .iter()
-            .map(|m| Binary(hex::decode(m).unwrap()))
+            .map(|m| Binary::new(hex::decode(m).unwrap()))
             .collect();
         // One pubkey
         let public_keys = [ED25519_PUBLIC_KEY_HEX]
             .iter()
-            .map(|m| Binary(hex::decode(m).unwrap()))
+            .map(|m| Binary::new(hex::decode(m).unwrap()))
             .collect();
 
         let verify_msg = QueryMsg::VerifyTendermintBatch {
@@ -553,17 +553,19 @@ mod tests {
 
         let mut messages: Vec<Binary> = [ED25519_MESSAGE_HEX, ED25519_MESSAGE2_HEX]
             .iter()
-            .map(|m| Binary(hex::decode(m).unwrap()))
+            .map(|m| Binary::new(hex::decode(m).unwrap()))
             .collect();
         // Alter one of the messages
-        messages[0].0[0] ^= 0x01;
+        let mut b: Vec<_> = messages.pop().unwrap().into();
+        b[0] ^= 0x01;
+        messages.push(Binary::new(b));
         let signatures = [ED25519_SIGNATURE_HEX, ED25519_SIGNATURE2_HEX]
             .iter()
-            .map(|m| Binary(hex::decode(m).unwrap()))
+            .map(|m| Binary::new(hex::decode(m).unwrap()))
             .collect();
         let public_keys = [ED25519_PUBLIC_KEY_HEX, ED25519_PUBLIC_KEY2_HEX]
             .iter()
-            .map(|m| Binary(hex::decode(m).unwrap()))
+            .map(|m| Binary::new(hex::decode(m).unwrap()))
             .collect();
 
         let verify_msg = QueryMsg::VerifyTendermintBatch {
@@ -584,16 +586,16 @@ mod tests {
 
         let messages = [ED25519_MESSAGE_HEX, ED25519_MESSAGE2_HEX]
             .iter()
-            .map(|m| Binary(hex::decode(m).unwrap()))
+            .map(|m| Binary::new(hex::decode(m).unwrap()))
             .collect();
         let signatures = [ED25519_SIGNATURE_HEX, ED25519_SIGNATURE2_HEX]
             .iter()
-            .map(|m| Binary(hex::decode(m).unwrap()))
+            .map(|m| Binary::new(hex::decode(m).unwrap()))
             .collect();
         // One of the public keys is empty
         let public_keys = ["", ED25519_PUBLIC_KEY_HEX]
             .iter()
-            .map(|m| Binary(hex::decode(m).unwrap()))
+            .map(|m| Binary::new(hex::decode(m).unwrap()))
             .collect();
 
         let verify_msg = QueryMsg::VerifyTendermintBatch {
@@ -620,9 +622,9 @@ mod tests {
         let public_key = hex::decode(ED25519_PUBLIC_KEY_HEX).unwrap();
 
         let verify_msg = QueryMsg::VerifyTendermintSignature {
-            message: Binary(message),
-            signature: Binary(signature),
-            public_key: Binary(public_key),
+            message: Binary::new(message),
+            signature: Binary::new(signature),
+            public_key: Binary::new(public_key),
         };
 
         let raw = query(deps.as_ref(), mock_env(), verify_msg).unwrap();
@@ -642,9 +644,9 @@ mod tests {
         let public_key = hex::decode(ED25519_PUBLIC_KEY_HEX).unwrap();
 
         let verify_msg = QueryMsg::VerifyTendermintSignature {
-            message: Binary(message),
-            signature: Binary(signature),
-            public_key: Binary(public_key),
+            message: Binary::new(message),
+            signature: Binary::new(signature),
+            public_key: Binary::new(public_key),
         };
 
         let raw = query(deps.as_ref(), mock_env(), verify_msg).unwrap();
@@ -662,9 +664,9 @@ mod tests {
         let public_key = vec![];
 
         let verify_msg = QueryMsg::VerifyTendermintSignature {
-            message: Binary(message),
-            signature: Binary(signature),
-            public_key: Binary(public_key),
+            message: Binary::new(message),
+            signature: Binary::new(signature),
+            public_key: Binary::new(public_key),
         };
         let res = query(deps.as_ref(), mock_env(), verify_msg);
         assert!(res.is_err());
diff --git a/contracts/crypto-verify/tests/integration.rs b/contracts/crypto-verify/tests/integration.rs
index 4cdf2f3749..1ef58efbb7 100644
--- a/contracts/crypto-verify/tests/integration.rs
+++ b/contracts/crypto-verify/tests/integration.rs
@@ -79,9 +79,9 @@ fn cosmos_signature_verify_works() {
     let public_key = hex::decode(SECP256K1_PUBLIC_KEY_HEX).unwrap();
 
     let verify_msg = QueryMsg::VerifyCosmosSignature {
-        message: Binary(message),
-        signature: Binary(signature),
-        public_key: Binary(public_key),
+        message: Binary::new(message),
+        signature: Binary::new(signature),
+        public_key: Binary::new(public_key),
     };
 
     let raw = query(&mut deps, mock_env(), verify_msg).unwrap();
@@ -101,9 +101,9 @@ fn cosmos_signature_verify_fails() {
     let public_key = hex::decode(SECP256K1_PUBLIC_KEY_HEX).unwrap();
 
     let verify_msg = QueryMsg::VerifyCosmosSignature {
-        message: Binary(message),
-        signature: Binary(signature),
-        public_key: Binary(public_key),
+        message: Binary::new(message),
+        signature: Binary::new(signature),
+        public_key: Binary::new(public_key),
     };
 
     let raw = query(&mut deps, mock_env(), verify_msg).unwrap();
@@ -121,9 +121,9 @@ fn cosmos_signature_verify_errors() {
     let public_key = vec![];
 
     let verify_msg = QueryMsg::VerifyCosmosSignature {
-        message: Binary(message),
-        signature: Binary(signature),
-        public_key: Binary(public_key),
+        message: Binary::new(message),
+        signature: Binary::new(signature),
+        public_key: Binary::new(public_key),
     };
     let res = query(&mut deps, mock_env(), verify_msg);
     assert_eq!(
@@ -262,9 +262,9 @@ fn tendermint_signature_verify_works() {
     let public_key = hex::decode(ED25519_PUBLIC_KEY_HEX).unwrap();
 
     let verify_msg = QueryMsg::VerifyTendermintSignature {
-        message: Binary(message),
-        signature: Binary(signature),
-        public_key: Binary(public_key),
+        message: Binary::new(message),
+        signature: Binary::new(signature),
+        public_key: Binary::new(public_key),
     };
 
     let raw = query(&mut deps, mock_env(), verify_msg).unwrap();
@@ -284,9 +284,9 @@ fn tendermint_signature_verify_fails() {
     let public_key = hex::decode(ED25519_PUBLIC_KEY_HEX).unwrap();
 
     let verify_msg = QueryMsg::VerifyTendermintSignature {
-        message: Binary(message),
-        signature: Binary(signature),
-        public_key: Binary(public_key),
+        message: Binary::new(message),
+        signature: Binary::new(signature),
+        public_key: Binary::new(public_key),
     };
 
     let raw = query(&mut deps, mock_env(), verify_msg).unwrap();
@@ -304,9 +304,9 @@ fn tendermint_signature_verify_errors() {
     let public_key = vec![];
 
     let verify_msg = QueryMsg::VerifyTendermintSignature {
-        message: Binary(message),
-        signature: Binary(signature),
-        public_key: Binary(public_key),
+        message: Binary::new(message),
+        signature: Binary::new(signature),
+        public_key: Binary::new(public_key),
     };
     let res = query(&mut deps, mock_env(), verify_msg);
     assert_eq!(
@@ -321,15 +321,15 @@ fn tendermint_signatures_batch_verify_works() {
 
     let messages = [ED25519_MESSAGE_HEX, ED25519_MESSAGE2_HEX]
         .iter()
-        .map(|m| Binary(hex::decode(m).unwrap()))
+        .map(|m| Binary::new(hex::decode(m).unwrap()))
         .collect();
     let signatures = [ED25519_SIGNATURE_HEX, ED25519_SIGNATURE2_HEX]
         .iter()
-        .map(|m| Binary(hex::decode(m).unwrap()))
+        .map(|m| Binary::new(hex::decode(m).unwrap()))
         .collect();
     let public_keys = [ED25519_PUBLIC_KEY_HEX, ED25519_PUBLIC_KEY2_HEX]
         .iter()
-        .map(|m| Binary(hex::decode(m).unwrap()))
+        .map(|m| Binary::new(hex::decode(m).unwrap()))
         .collect();
 
     let verify_msg = QueryMsg::VerifyTendermintBatch {
@@ -351,18 +351,18 @@ fn tendermint_signatures_batch_verify_message_multisig_works() {
     // One message
     let messages = [ED25519_MESSAGE_HEX]
         .iter()
-        .map(|m| Binary(hex::decode(m).unwrap()))
+        .map(|m| Binary::new(hex::decode(m).unwrap()))
         .collect();
     // Multiple signatures
     //FIXME: Use different signatures / pubkeys
     let signatures = [ED25519_SIGNATURE_HEX, ED25519_SIGNATURE_HEX]
         .iter()
-        .map(|m| Binary(hex::decode(m).unwrap()))
+        .map(|m| Binary::new(hex::decode(m).unwrap()))
         .collect();
     // Multiple pubkeys
     let public_keys = [ED25519_PUBLIC_KEY_HEX, ED25519_PUBLIC_KEY_HEX]
         .iter()
-        .map(|m| Binary(hex::decode(m).unwrap()))
+        .map(|m| Binary::new(hex::decode(m).unwrap()))
         .collect();
 
     let verify_msg = QueryMsg::VerifyTendermintBatch {
@@ -385,17 +385,17 @@ fn tendermint_signatures_batch_verify_single_public_key_works() {
     //FIXME: Use different messages / signatures
     let messages = [ED25519_MESSAGE_HEX, ED25519_MESSAGE_HEX]
         .iter()
-        .map(|m| Binary(hex::decode(m).unwrap()))
+        .map(|m| Binary::new(hex::decode(m).unwrap()))
         .collect();
     // Multiple signatures
     let signatures = [ED25519_SIGNATURE_HEX, ED25519_SIGNATURE_HEX]
         .iter()
-        .map(|m| Binary(hex::decode(m).unwrap()))
+        .map(|m| Binary::new(hex::decode(m).unwrap()))
         .collect();
     // One pubkey
     let public_keys = [ED25519_PUBLIC_KEY_HEX]
         .iter()
-        .map(|m| Binary(hex::decode(m).unwrap()))
+        .map(|m| Binary::new(hex::decode(m).unwrap()))
         .collect();
 
     let verify_msg = QueryMsg::VerifyTendermintBatch {
@@ -416,17 +416,20 @@ fn tendermint_signatures_batch_verify_fails() {
 
     let mut messages: Vec<Binary> = [ED25519_MESSAGE_HEX, ED25519_MESSAGE2_HEX]
         .iter()
-        .map(|m| Binary(hex::decode(m).unwrap()))
+        .map(|m| Binary::new(hex::decode(m).unwrap()))
         .collect();
     // Alter one of the messages
-    messages[1].0[0] ^= 0x01;
+    let mut b: Vec<_> = messages.swap_remove(0).into();
+    b[0] ^= 0x01;
+    messages.push(Binary::new(b));
+    messages.swap(0, 1); // swap them again to old order
     let signatures = [ED25519_SIGNATURE_HEX, ED25519_SIGNATURE2_HEX]
         .iter()
-        .map(|m| Binary(hex::decode(m).unwrap()))
+        .map(|m| Binary::new(hex::decode(m).unwrap()))
         .collect();
     let public_keys = [ED25519_PUBLIC_KEY_HEX, ED25519_PUBLIC_KEY2_HEX]
         .iter()
-        .map(|m| Binary(hex::decode(m).unwrap()))
+        .map(|m| Binary::new(hex::decode(m).unwrap()))
         .collect();
 
     let verify_msg = QueryMsg::VerifyTendermintBatch {
@@ -447,16 +450,16 @@ fn tendermint_signatures_batch_verify_errors() {
 
     let messages = [ED25519_MESSAGE_HEX, ED25519_MESSAGE2_HEX]
         .iter()
-        .map(|m| Binary(hex::decode(m).unwrap()))
+        .map(|m| Binary::new(hex::decode(m).unwrap()))
         .collect();
     let signatures = [ED25519_SIGNATURE_HEX, ED25519_SIGNATURE2_HEX]
         .iter()
-        .map(|m| Binary(hex::decode(m).unwrap()))
+        .map(|m| Binary::new(hex::decode(m).unwrap()))
         .collect();
     // One of the public keys is empty
     let public_keys = [ED25519_PUBLIC_KEY_HEX, ""]
         .iter()
-        .map(|m| Binary(hex::decode(m).unwrap()))
+        .map(|m| Binary::new(hex::decode(m).unwrap()))
         .collect();
 
     let verify_msg = QueryMsg::VerifyTendermintBatch {
diff --git a/contracts/queue/src/contract.rs b/contracts/queue/src/contract.rs
index 536921a4e4..02b39e2198 100644
--- a/contracts/queue/src/contract.rs
+++ b/contracts/queue/src/contract.rs
@@ -66,7 +66,7 @@ fn handle_dequeue(deps: DepsMut) -> StdResult<Response> {
     if let Some((key, value)) = first {
         // remove from storage and return old value
         deps.storage.remove(&key);
-        res.data = Some(Binary(value));
+        res.data = Some(Binary::new(value));
     }
     Ok(res)
 }
diff --git a/contracts/reflect/src/contract.rs b/contracts/reflect/src/contract.rs
index fbe9076ec7..87208f2e94 100644
--- a/contracts/reflect/src/contract.rs
+++ b/contracts/reflect/src/contract.rs
@@ -274,7 +274,7 @@ mod tests {
             }
             .into(),
             // make sure we can pass through custom native messages
-            CustomMsg::Raw(Binary(b"{\"foo\":123}".to_vec())).into(),
+            CustomMsg::Raw(Binary::new(b"{\"foo\":123}".to_vec())).into(),
             CustomMsg::Debug("Hi, Dad!".to_string()).into(),
             StakingMsg::Delegate {
                 validator: String::from("validator"),
diff --git a/contracts/reflect/tests/integration.rs b/contracts/reflect/tests/integration.rs
index 1333ad53bb..47714925f0 100644
--- a/contracts/reflect/tests/integration.rs
+++ b/contracts/reflect/tests/integration.rs
@@ -102,7 +102,7 @@ fn reflect() {
         }
         .into(),
         // make sure we can pass through custom native messages
-        CustomMsg::Raw(Binary(b"{\"foo\":123}".to_vec())).into(),
+        CustomMsg::Raw(Binary::new(b"{\"foo\":123}".to_vec())).into(),
         CustomMsg::Debug("Hi, Dad!".to_string()).into(),
         StakingMsg::Delegate {
             validator: String::from("validator"),
diff --git a/packages/std/src/addresses.rs b/packages/std/src/addresses.rs
index f029913a07..c41ab4c8a0 100644
--- a/packages/std/src/addresses.rs
+++ b/packages/std/src/addresses.rs
@@ -130,7 +130,7 @@ impl<'a> From<&'a Addr> for Cow<'a, Addr> {
 /// So the type should be treated as a marker to express the intended data type, not as
 /// a validity guarantee of any sort.
 #[derive(Serialize, Deserialize, Clone, Debug, PartialEq, Eq, Hash, JsonSchema)]
-pub struct CanonicalAddr(pub Binary);
+pub struct CanonicalAddr(Binary);
 
 /// Implement `CanonicalAddr == Binary`
 impl PartialEq<Binary> for CanonicalAddr {
@@ -485,26 +485,34 @@ mod tests {
         let original_ptr = original.as_ptr();
         let addr: CanonicalAddr = original.into();
         assert_eq!(addr.as_slice(), [0u8, 187, 61, 11, 250, 0]);
-        assert_eq!((addr.0).0.as_ptr(), original_ptr, "must not be copied");
+        assert_eq!(
+            (addr.0).as_slice().as_ptr(),
+            original_ptr,
+            "must not be copied"
+        );
 
         // From<Vec<u8>> for CanonicalAddr
         let original = vec![0u8, 187, 61, 11, 250, 0];
         let original_ptr = original.as_ptr();
         let addr = CanonicalAddr::from(original);
         assert_eq!(addr.as_slice(), [0u8, 187, 61, 11, 250, 0]);
-        assert_eq!((addr.0).0.as_ptr(), original_ptr, "must not be copied");
+        assert_eq!(
+            (addr.0).as_slice().as_ptr(),
+            original_ptr,
+            "must not be copied"
+        );
 
         // Into<Vec<u8>> for CanonicalAddr
         // This test is a bit pointless because we get Into from the From implementation
         let original = CanonicalAddr::from(vec![0u8, 187, 61, 11, 250, 0]);
-        let original_ptr = (original.0).0.as_ptr();
+        let original_ptr = (original.0).as_slice().as_ptr();
         let vec: Vec<u8> = original.into();
         assert_eq!(vec.as_slice(), [0u8, 187, 61, 11, 250, 0]);
         assert_eq!(vec.as_ptr(), original_ptr, "must not be copied");
 
         // From<CanonicalAddr> for Vec<u8>
         let original = CanonicalAddr::from(vec![7u8, 35, 49, 101, 0, 255]);
-        let original_ptr = (original.0).0.as_ptr();
+        let original_ptr = (original.0).as_slice().as_ptr();
         let vec = Vec::<u8>::from(original);
         assert_eq!(vec.as_slice(), [7u8, 35, 49, 101, 0, 255]);
         assert_eq!(vec.as_ptr(), original_ptr, "must not be copied");
@@ -517,11 +525,15 @@ mod tests {
         let original_ptr = original.as_ptr();
         let addr = CanonicalAddr::from(original);
         assert_eq!(addr.as_slice(), [0u8, 187, 61, 11, 250, 0]);
-        assert_eq!((addr.0).0.as_ptr(), original_ptr, "must not be copied");
+        assert_eq!(
+            (addr.0).as_slice().as_ptr(),
+            original_ptr,
+            "must not be copied"
+        );
 
         // From<CanonicalAddr> for Binary
         let original = CanonicalAddr::from(vec![7u8, 35, 49, 101, 0, 255]);
-        let original_ptr = (original.0).0.as_ptr();
+        let original_ptr = (original.0).as_slice().as_ptr();
         let bin = Binary::from(original);
         assert_eq!(bin.as_slice(), [7u8, 35, 49, 101, 0, 255]);
         assert_eq!(bin.as_ptr(), original_ptr, "must not be copied");
@@ -534,11 +546,15 @@ mod tests {
         let original_ptr = original.as_ptr();
         let addr = CanonicalAddr::from(original);
         assert_eq!(addr.as_slice(), [0u8, 187, 61, 11, 250, 0]);
-        assert_eq!((addr.0).0.as_ptr(), original_ptr, "must not be copied");
+        assert_eq!(
+            (addr.0).as_slice().as_ptr(),
+            original_ptr,
+            "must not be copied"
+        );
 
         // From<CanonicalAddr> for HexBinary
         let original = CanonicalAddr::from(vec![7u8, 35, 49, 101, 0, 255]);
-        let original_ptr = (original.0).0.as_ptr();
+        let original_ptr = (original.0).as_slice().as_ptr();
         let bin = HexBinary::from(original);
         assert_eq!(bin.as_slice(), [7u8, 35, 49, 101, 0, 255]);
         assert_eq!(bin.as_ptr(), original_ptr, "must not be copied");
diff --git a/packages/std/src/binary.rs b/packages/std/src/binary.rs
index bb65eea8db..8e2355033b 100644
--- a/packages/std/src/binary.rs
+++ b/packages/std/src/binary.rs
@@ -13,7 +13,7 @@ use crate::errors::{StdError, StdResult};
 /// This is only needed as serde-json-{core,wasm} has a horrible encoding for Vec<u8>.
 /// See also <https://github.com/CosmWasm/cosmwasm/blob/main/docs/MESSAGE_TYPES.md>.
 #[derive(Clone, Default, PartialEq, Eq, Hash, PartialOrd, Ord, JsonSchema)]
-pub struct Binary(#[schemars(with = "String")] pub Vec<u8>);
+pub struct Binary(#[schemars(with = "String")] Vec<u8>);
 
 impl Binary {
     /// Base64 encoding engine used in conversion to/from base64.
@@ -26,6 +26,11 @@ impl Binary {
             .with_decode_padding_mode(base64::engine::DecodePaddingMode::Indifferent),
     );
 
+    /// Creates a new `Binary` containing the given data.
+    pub const fn new(data: Vec<u8>) -> Self {
+        Self(data)
+    }
+
     /// take an (untrusted) string and decode it into bytes.
     /// fails if it is not valid base64
     pub fn from_base64(encoded: &str) -> StdResult<Self> {
diff --git a/packages/std/src/ibc.rs b/packages/std/src/ibc.rs
index 17c60ae87f..6631312527 100644
--- a/packages/std/src/ibc.rs
+++ b/packages/std/src/ibc.rs
@@ -654,7 +654,7 @@ pub struct IbcReceiveResponse<T = Empty> {
 impl<T> Default for IbcReceiveResponse<T> {
     fn default() -> Self {
         IbcReceiveResponse {
-            acknowledgement: Binary(vec![]),
+            acknowledgement: Binary::default(),
             messages: vec![],
             attributes: vec![],
             events: vec![],
diff --git a/packages/std/src/serde.rs b/packages/std/src/serde.rs
index 23793698b6..2948813281 100644
--- a/packages/std/src/serde.rs
+++ b/packages/std/src/serde.rs
@@ -63,7 +63,7 @@ pub fn to_json_binary<T>(data: &T) -> StdResult<Binary>
 where
     T: Serialize + ?Sized,
 {
-    to_json_vec(data).map(Binary)
+    to_json_vec(data).map(Binary::new)
 }
 
 #[cfg(test)]
diff --git a/packages/vm/benches/main.rs b/packages/vm/benches/main.rs
index bcad71287b..16ce2c23cd 100644
--- a/packages/vm/benches/main.rs
+++ b/packages/vm/benches/main.rs
@@ -177,7 +177,7 @@ fn bench_cache(c: &mut Criterion) {
         let non_memcache = CacheOptions::new(
             TempDir::new().unwrap().into_path(),
             capabilities_from_csv("iterator,staking"),
-            Size(0),
+            Size::new(0),
             DEFAULT_MEMORY_LIMIT,
         );
         let cache: Cache<MockApi, MockStorage, MockQuerier> =
@@ -199,7 +199,7 @@ fn bench_cache(c: &mut Criterion) {
         let non_memcache = CacheOptions::new(
             TempDir::new().unwrap().into_path(),
             capabilities_from_csv("iterator,staking"),
-            Size(0),
+            Size::new(0),
             DEFAULT_MEMORY_LIMIT,
         );
         let mut cache: Cache<MockApi, MockStorage, MockQuerier> =
diff --git a/packages/vm/src/size.rs b/packages/vm/src/size.rs
index 14ec88f928..c43a3a1a6b 100644
--- a/packages/vm/src/size.rs
+++ b/packages/vm/src/size.rs
@@ -1,7 +1,12 @@
 #[derive(Copy, Clone, Debug)]
-pub struct Size(pub usize);
+pub struct Size(pub(crate) usize);
 
 impl Size {
+    /// Creates a size of `n`
+    pub const fn new(n: usize) -> Self {
+        Size(n)
+    }
+
     /// Creates a size of `n` kilo
     pub const fn kilo(n: usize) -> Self {
         Size(n * 1000)
@@ -39,8 +44,8 @@ mod tests {
 
     #[test]
     fn constructors_work() {
-        assert_eq!(Size(0).0, 0);
-        assert_eq!(Size(3).0, 3);
+        assert_eq!(Size::new(0).0, Size(0).0);
+        assert_eq!(Size::new(3).0, Size(3).0);
 
         assert_eq!(Size::kilo(0).0, 0);
         assert_eq!(Size::kilo(3).0, 3000);
@@ -63,8 +68,8 @@ mod tests {
 
     #[test]
     fn implements_debug() {
-        assert_eq!(format!("{:?}", Size(0)), "Size(0)");
-        assert_eq!(format!("{:?}", Size(123)), "Size(123)");
+        assert_eq!(format!("{:?}", Size::new(0)), "Size(0)");
+        assert_eq!(format!("{:?}", Size::new(123)), "Size(123)");
         assert_eq!(format!("{:?}", Size::kibi(2)), "Size(2048)");
         assert_eq!(format!("{:?}", Size::mebi(1)), "Size(1048576)");
     }
diff --git a/packages/vm/src/wasm_backend/engine.rs b/packages/vm/src/wasm_backend/engine.rs
index 25eceee93c..b5b67e660a 100644
--- a/packages/vm/src/wasm_backend/engine.rs
+++ b/packages/vm/src/wasm_backend/engine.rs
@@ -87,16 +87,16 @@ mod tests {
     #[test]
     fn limit_to_pages_works() {
         // rounds down
-        assert_eq!(limit_to_pages(Size(0)), Pages(0));
-        assert_eq!(limit_to_pages(Size(1)), Pages(0));
+        assert_eq!(limit_to_pages(Size::new(0)), Pages(0));
+        assert_eq!(limit_to_pages(Size::new(1)), Pages(0));
         assert_eq!(limit_to_pages(Size::kibi(63)), Pages(0));
         assert_eq!(limit_to_pages(Size::kibi(64)), Pages(1));
         assert_eq!(limit_to_pages(Size::kibi(65)), Pages(1));
-        assert_eq!(limit_to_pages(Size(u32::MAX as usize)), Pages(65535));
+        assert_eq!(limit_to_pages(Size::new(u32::MAX as usize)), Pages(65535));
         // caps at 4 GiB
         assert_eq!(limit_to_pages(Size::gibi(3)), Pages(49152));
         assert_eq!(limit_to_pages(Size::gibi(4)), Pages(65536));
         assert_eq!(limit_to_pages(Size::gibi(5)), Pages(65536));
-        assert_eq!(limit_to_pages(Size(usize::MAX)), Pages(65536));
+        assert_eq!(limit_to_pages(Size::new(usize::MAX)), Pages(65536));
     }
 }