[encryptluks2]

Electron apps are often pulling in hundreds of unvetted npm packages and then given direct read/write access to the entire file system. I'm okay with browser security overall for PWAs as I don't want websites to be able to break out of the sandbox and I want permission prompts when they want access to perform specific actions, but I can still inspect the code more freely to see what is happening behind the scenes and say no I don't trust this developer to have read/write access.

With WASM, it is like machine code for the browser meant to obscure what is even happening and you are supposed to just trust it and I don't. I don't trust it to not be abused to push more privacy violations and I don't trust most web developers enough to not just pull in a huge framework with no clue what they are doing and to make accessible fast sites using it.

[maven29]

Wouldn't dependency hijacking only be an issue during build/packaging, rather than installation when everything is frozen? All you're going to see as an end-user is a prebuilt binary that doesn't even know what NPM is. Again, this is no different from native apps.

Native apps are objectively worse than WASM in terms of security/privacy risks as they have access to all userspace syscalls. It's not like WASM bytecode can link against system libraries. Everything has to go through the browser/runtime sandbox. The only real risk here is side-channel attacks like Meltdown.

[encryptluks2]

Again though, they are already sandbox frameworks for the desktop for native apps. There is not a need to have the web browser, a notoriously anti-privacy component, as a DRM player for non-DRM content.