Does is prevent it, or just limit the arbitrary PHP execution to inside the WASM sandbox? If the latter, that's still helpful, but still leaves quite a few of the typical end goals in place...like altering the content presented to visitors, etc.
yup, PHP RCE inside the PHP WASM sandbox is not much different in scope than PHP RCE inside a drupal apache container more or less - you get RW on the complete drupal instance.