There's still interop code though, isn't part of the challenge with this ensuring that there's no security holes in the communication layer between the VM and the outer application? Perhaps they have that concern regardless, but I think a standard set of patterns + shims will eventually converge for Realms.
There is interop code between the wasm and its JS runtime, but that's very easy to audit for exactly what the wasm is given and what it returns.
Also that interop code will be a combination of standard runtime code - very heavily tested, unless they are using something very new - and code they write themselves for their specific application - which they control.
So I think this is the safer route for security. It does have a speed penalty atm, but sounds like it's worth it for Figma.
