On paper, this just uses the same security model as javascript and obviously a lot of thought is going into security and sandboxing with this. What has been problematic historically was a lot of native code written in a hurry by dot com era companies being unleashed on browsers via a poorly thought out plugin model.
Flash, Silverlight, Java Applets, and loads more stuff existed while people were still OK serving stuff up without SSL, trying to figure out cookies and generally not putting a lot of thought into cross site scripting attacks. That was a security nightmare and all the obvious things happened. WASM does not seem like a repeat of that. Rather it builds on all the learning we've had since then.
Flash, Silverlight, Java Applets, and loads more stuff existed while people were still OK serving stuff up without SSL, trying to figure out cookies and generally not putting a lot of thought into cross site scripting attacks. That was a security nightmare and all the obvious things happened. WASM does not seem like a repeat of that. Rather it builds on all the learning we've had since then.