My take on this is that WASM is quite simply just new attack surface. Hear me out.
Imagine tomorrow someone invents WebX86. One website uses it. Support arrives for browsers, now 10 websites use it. So it gets added. And next year, someone inventest webARM64thingy. One website uses it. Support arrives for browsers, now 10 websites use it. So it gets added. Eventually browsers have so many additional things they must 'parse' and 'execute' to perform a web experience. Of course all of these pieces of code are bugfree. /sarc. No everything has at least one bug, so the potential attack surface of the browser keeps increasing, and the maintainance efforts required by the browser maintainance groups keeps increasing. So eventually those groups of people will become even more overwhelmed, and not be on-their-game ahead of a problem, and the whole security dance will happen over and over. I promise you, major security issues will occur. It won't neccessarily be in the wasm "executed language", but it will be in the capabilities exported by the browser code to create the environment, and it is going to suck. WASM is not required on the open internet. Not required Today. Hopefully never. We want software which has the maximum powerful behaviours, but there is a friction because we really should insist it is done with the least amount of increased complexity. And the tradeoff with wasm seems quite poor.
