But Docker is free (unless you're a fairly large business, in which case containerd is still free, and you can either pay for the front-end license or figure out how to set up one of the free alternatives), and from what perspective are the isolations available for the containerd process inferior to those available for your browser process? The former was at least designed from the ground up with security, auditing, quotas etc. in mind, and offers better per-container granular control than your browser offers per-tab.
I would argue the exact opposite: Linux is great, but it wasn't really designed with a focus on containing hostile software, and while containers have come to be a decent security barrier, they're still one kernel bug away from compromise. On the other hand, the browser is very accustomed to being the most exposed security-sensitive software on a machine, and modern browsers and wasm in particular are designed against that threat. Heck, wasm is so good for security that Mozilla started compiling components to wasm and then back into native code to get memory safety ( https://hacks.mozilla.org/2020/02/securing-firefox-with-weba... ).