One can avoid the most egregious security concerns (rce) if software vendors use slightly slower libraries to render their images. Avoid libraries written in C. It'll almost eliminate all rce and your users will be safer because of it.
Can't see that happening any time soon, browsers/users love render speed.
If one is concerned about this as an end user, I've seen some extensions that block webp and try to request a png/jpg/etc. version from the host.
I can't attest to how effective it is as I didn't use it long. But it worked with some of the big image hosting sites like imgur.
For me, this was just so I was able to download images in a usable format. Most OSs can't treat webp like normal images, like generating thumbnails or opening a preview app.
That was a few years ago though so maybe things have changed.
I might be making stuff up here but I do remember the same happening to I think png and jpg at least once, to some degree.
It just sounds like typical growing pains from using non-safe languages (C).
I get the appeal for browser speeds, but I really wish we as an industry could move away from methods that encourage the same mistakes we've been making since we started writing in C.
It feels like we're using self tapping screws to build a bridge instead of rivets because it's faster. And we can just keep adding more screws if the bridge starts to sag.