Despite the sandboxing one still cannot run untrsuted WASM code in the same process as trusted code due to hardware bugs. CPU vendors are not going to fix those anytime soon. Their message is to always use separated address space for security isolation.
And since one need an external process in any case, native containers wins as they are faster by factor of two over WASM.
EDIT:
It does not even make sense to use WASM inside a native container as an extra security layer. With the overhead of WASM one can just put a container inside a VM and still run things faster.
Spectre is not going to be fixed for code within the same address space and allows to read all process memory from untrusted code. Google in V8 tried to protect against that, but they mostly gave up as there were way too many ways to affect the cache.
If your threat model includes hardware bugs, then a container doesn't really help, no? You can't really trust your containers without sandboxing them, and then you're killing your performance anyway.
Heavily sandboxed container has overhead of few percents. A hardware VM slows things down by 10-20% for a typical application. So even combining VM with a container will still be significantly faster than WASM.
For the runtime, yes. But the cost of sending information into and out of a VM/container versus staying in the same process is costly, especially for small amounts of computation.
And you're also comparing decades of VM and container investment to a handful of years of investment in WASM. WASM code today will run faster by a huge margin in a few years as the compilers improve.
But moreover, most folks don't care about hardware bugs letting untrusted code break out of a sandbox. Bugs have been letting code break out of VMs, even, for years. If a hardware bug is discovered, you install the microcode update or kernel patch and move on.
Which is to say, the performance isn't the reason for choosing WASM. It's good enough, in many cases. Being able to write a hundred or two lines of code to get pretty-fast and pretty-damn-secure sandboxing without needing to waste your time setting up and maintaining an elaborate breakfast machine of VMs and containers is the draw.
And since one need an external process in any case, native containers wins as they are faster by factor of two over WASM.
EDIT:
It does not even make sense to use WASM inside a native container as an extra security layer. With the overhead of WASM one can just put a container inside a VM and still run things faster.