WASM implementations are sandboxed - which can be defeated in theory as,
given that there were POC spectre attacks on Javascript VMs
it must be possible to do the same on what would be a Webassembly
frontend to the same backend (practically) - but eBPF (or the validator
to be more specific) is designed to conservatively only accept programs that it can guarantee have certain semantics.