Re: Yet again ... yawn ...
"They could be implemented in WebAssembly"
*Any* code that can modify what the viewer sees can be abused.
The biggest problem is *3rd party* code. You can turn it off with noscript etc, but many sites have their assets across multiple domains, That's *before* we start talking about advertisers.
Go to a random site on the internet, without using dev tools, you have no way of knowing where what you are seeing is coming from. Not just remote (3rd party) origins for files, but XSS and Iframes. The domain you type in/click on is just the first link in a chain. IMHO, It shouldn't be.
Most sane mail clients learnt the lesson of not loading remote content from an unvetted source without express permission. The web would be a safer place if web browsers did the same.
Firefox's container tabs are a good start.