As I noted in another comment Figma has used QuickJS to run JS inside Wasm ever since a security vulnerability was discovered in their previous implementation.
In a browser environment it's much easier to sandbox Wasm successfully than to sandbox JS.
That’s very interesting! Have they documented the reasoning for that approach? I would have expected iframes to be both simpler and faster sandboxing mechanism especially in compute bound cases. Maybe the communication overhead is too high in their workload?
In a browser environment it's much easier to sandbox Wasm successfully than to sandbox JS.