Daniel [1], one of the authors here. Feel free to ask also technical questions, I'll try my best to answer them.
If you don't feel like reading the whole paper, there is also a short (~10 min) video on the conference website [2], where I explain the high-level bits.
Great overview. Would it be correct to characterize the fwrite capability as one of the more concerning potential exploits (ie. esp. when combined with other browser vulnerabilities)?
You are referring to the example exploit in section 5.3, right? Please note that this example is for a standalone VM, not inside the browser (where JavaScript programs -- and by extension, WebAssembly modules -- do not have direct access to the filesystem).
Whether that exploit is more or less concerning than the browser and Node.js examples, I think is hard to answer in general without additional qualifications. If the standalone VM uses fine-grained capabilities (e.g., libpreopen) or is sandboxed, then changing the file that is being written to might be possible inside WebAssembly memory but access could be blocked by the VM.