True. bubblewrap and similar (Landlock, sandbox-exec on Mac) are solid lightweight options. The main difference is they still expose a syscall interface that you then restrict, vs WASM where capabilities are opt-in from zero. Different starting points, similar goals.

Some advantages of building the sandbox in wasm, aside from the security benefits, are complete execution reproducibility. amla-sandbox controls all external side effects, leaving the wasm core as just "pure computation", which makes recording traces and replaying them very easy. It's great for debugging complex workflows.

If I had to rank these, in order of least to most secure, it would be container < VM < WASM.

WASM has:

- Bounds checked linear memory

- No system calls except what you explicitly grant via WASI

- Much smaller attack surface

VMs have:

- Hardware isolation, separate kernel

- May have hypervisor bugs leading to VM escape (rare in practice though)

Some problems with containers:

- Shared host kernel (kernel exploit = escape)

- Seccomp/AppArmor/namespaces reduce attack surface but don't eliminate it

- Larger attack surface (full syscall interface)

- Container escapes are a known class of vulnerability

In theory it's more secure. Containers and VMs run on real hardware, containers usually even on the real kernel (unless you use something like Kata). WASM doesn't have any system interface by default, you have full control over what it accesses. So it's similar to JVM for example.