[hashseed]

V8 already employs W^X, i.e. memory pages allocated for V8's heap are either writable or executable, but not both at the same time.

[MikeHolman]

By allowing JIT at all, a small ROP chain can call VirtualProtect to make a larger payload executable.

Sure you can do everything with ROP, but it is less convenient (and Intel CET might eventually make ROP attacks actually hard).

[gok]

Well, except for WebAssembly. But even then, it's still fundamentally possible to hijack control of whatever changes the pages from RW to RX.