What I know as a developer is web security is really hard. Last week there was a DOM clobbering gadget deep in my TypeScript world and I really didn't have the energy to understand who wants to clobber my DOM and why they need a gadget. I want to build stuff and what worries me is this stuff is just simply not foreseeable.
DOM security is a completely different beast from process isolation with WASM (in a web context or otherwise). The attack surface is vastly greater, due to the much larger API complexity.
