Web Assembly is NOT javascript. It literally is assembly for the web. There are transpilers that converts higher level code (C#, Go, Python) to Web Assembly, but the end result is always byte code that is run by the browser.
You may be confused with ASM.Js, which IS javascript. It is a very optimized version that uses a similar idea of a CPU instruction set (get register, add, branch on flag, push on stack, etc), but it still is interpreted. ASM.Js is very fast and also has some transpilers, but it is very different from Web Assembly.
Web Assembly has the highest potential. High potential for speed, calculations, AND RISK. The threat model for Web Assembly has not been tested as well as Javascript.
Well, the WebAssembly bytecode is the same target that is used by JS, so it kind of is JS in a way, well, at least in the way that is important to the OP's concern, in that WebAssembly should have the same risk profile as JS. wasm and JS don't represent two different pipelines - they run on the same VM.
You may be confused with ASM.Js, which IS javascript. It is a very optimized version that uses a similar idea of a CPU instruction set (get register, add, branch on flag, push on stack, etc), but it still is interpreted. ASM.Js is very fast and also has some transpilers, but it is very different from Web Assembly.
Web Assembly has the highest potential. High potential for speed, calculations, AND RISK. The threat model for Web Assembly has not been tested as well as Javascript.