VM's are not all the same, and a VM does not at all guarantee security.
The JVM is not designed to run arbitrary code and/or is not as well designed to do it as Javascript or Wasm is.
If it were as simple as plug JVM into browser it would be done. However it's not, because the memory and execution safety measures are better in Javascript and Wasm.
Wasm should actually have better isolation than JS.
If you want to know the details go read the spec and look at the implimentations.
Java Applets were a security risk, but it was decades ago. Modern JVM has many options to sandbox a running app.
But it seems that WASM tries to be a mininal CPU target instead, which is questionable - I can’t wait seeing memory errors (even if only inside a single webpage) on the web. With the good quality GCs available with JS, but even more so on JVM, I would say that running system languages should not be the point.
The JVM is not designed to run arbitrary code and/or is not as well designed to do it as Javascript or Wasm is.
If it were as simple as plug JVM into browser it would be done. However it's not, because the memory and execution safety measures are better in Javascript and Wasm.
Wasm should actually have better isolation than JS.
If you want to know the details go read the spec and look at the implimentations.