I would be interested in the previously mentioned claims like “wasm can’t protect against rowhammer” —- while perhaps not an easily exploited vulnerability, and likely every current sandbox tech is vulnerable, is there anything specific to wasm that would help here?

Also, how does wasm relate to traditional sandboxes that “just” hijack system calls? Is there a difference?