I don't know, this time around there has been much more focus on security which was really what spelled doom for Flash/Java. That and it's actually included as part of web standards instead of being something that users have to download and update separately. I doubt that GC would have been added at all except that it's a requirement to speedup and simplify the boundary between the browser and WASM.
There was nothing fundamentally bad about security — any runtime is secure without having ways to call side effects. JS started afresh with barely any capabilities, while Java applets could actually be used to write real applications even back then. Since then JS grown a lot with carefully thought out APIs. But there is nothing fundamental that could not have been done in a JVM-web alternative future.
