It has exactly the same potential in the control and code-running respects as (minified) JavaScript. It’s overrepresented in malware because it’s faster, i.e. better for cryptominers. (Many sandbox breaches come from JavaScript’s complexity.)
Right, did everyone forget about ASM.js? We already had conpile-to-js, it was just a horrible subset of more efficient JS. WASM is just the extension and further development of that.
