Re: I will not use this
No worse than anything else.
It's basically the same as the Javascript (ECMAScript) permissions - given that WebAssembly has its roots in the "virtual machine" made in Javascript.
Seriously, the problem is not what technology you choose, but how stupid your browser manufacturer's are.
P.S. You've had a webassembly-enabled browser for several years now, I guarantee it.
Go play with Emscripten, which has been compiling to Webassembly for a long time already. It's basically bound by the browser DOM security model. If that was broke, it really doesn't matter *what* language you've been using.
But you'll notice that you can't access local files, you have to run code from remote websites (so you can't just be pointed at something compromised on a local network machine), that permissions to audio, video capture and everything else are: the same damn permissions you've got available to every website and are denying/allowing already. It doesn't allow arbitrary file, memory or resource access. Hell, you have to jump through hoops just to preload files from a website and access them in a virtualised storage in order to do anything on them, and the performance hit is enormous because of the way it's done (but still more than viable for 99% of things you want to do in a browser because, hey, it's a browser).
The only interesting thing is WebSockets, but that's no different to the myriad of websites that talk back in the same way over HTTPS already.
Honestly, if your browser is dumb, it doesn't matter what language it's dumb in.
WebAssembly is just Javascript-compressed. That's it. If there's a vulnerability in it, you had that vulnerability for the last 10 years in your browser already.
But with Javascript, it's a pain in the arse to write a full 3D FPS (or, say, something like Sketchup for the Web). In WebAssembly, it's just another target for a compiler.
And, no, if you compile a memory-unsafe language (say, C99) to WebAssembly, all that happens is that your code falls over inside the WebAssembly virtual machine. Arbitrary memory pointer access is actually faked by allocation of a giant array, for instance. There are some things you just can't do because the browser DOM and the inherent absence of a capability in WebAssembly stops you.
Focus on the problem (browsers which don't implement proper security for their page interpretation) not the brand name on the language that exposes that (e.g. Javascript, WebAssembly). And, no, it's not even close to Java. Java plugins in browsers worked by Java having arbitrary access to the machine and then imposing its own (broken) security model. That's why Java plugins are basically dead now.