In theory it's more secure. Containers and VMs run on real hardware, containers usually even on the real kernel (unless you use something like Kata). WASM doesn't have any system interface by default, you have full control over what it accesses. So it's similar to JVM for example.
If I had to rank these, in order of least to most secure, it would be container < VM < WASM.
WASM has:
- Bounds checked linear memory
- No system calls except what you explicitly grant via WASI
- Much smaller attack surface
VMs have:
- Hardware isolation, separate kernel
- May have hypervisor bugs leading to VM escape (rare in practice though)
Some problems with containers:
- Shared host kernel (kernel exploit = escape)
- Seccomp/AppArmor/namespaces reduce attack surface but don't eliminate it
- Larger attack surface (full syscall interface)
- Container escapes are a known class of vulnerability
In theory it's more secure. Containers and VMs run on real hardware, containers usually even on the real kernel (unless you use something like Kata). WASM doesn't have any system interface by default, you have full control over what it accesses. So it's similar to JVM for example.