I like the technical design of WASM, but I feel that better OS sandboxes for regular native code will be the common approach to running untrusted code.

As soon as you compile to WASM you no longer have the C FFI and the ability to call the OS systems interfaces for files, network and others.

It is extra work to move something to WASM vs just compiling it and running it in a sandbox.