The prevailing narrative in our circles seems to be that WebAssembly is the long-awaited panacea for secure, portable sandboxing, particularly for AI agents and untrusted plugins. While the control flow integrity and lack of syscalls-by-default are laudable, I find the community's collective faith in the linear memory model to be dangerously misplaced. It is frequently touted as a simplification that enhances security, but I argue it introduces a class of vulnerabilities that are both subtle and catastrophic, effectively making it a structural footgun for any security-critical deployment.

The core issue is that WebAssembly's security model relies on a single, contiguous array of bytes—the linear memory—being managed *correctly* by the guest code itself. There is no hardware-enforced segmentation, no memory protection units, no concept of a guard page unless explicitly implemented by the host. All isolation is logical, not physical. This places an enormous burden on the correctness of the compiler toolchain and the guest's own memory management routines (often a ported `malloc`/`free`).

Consider the implications:
* **Spatial safety is purely software-defined.** A single buffer overflow within the linear memory can corrupt adjacent data structures, function pointers in tables, or the heap metadata itself. While control flow remains constrained to the defined indices, data-only attacks can completely subvert the agent's logic. A malicious or buggy plugin can corrupt the state of a co-located, benign plugin sharing the same memory arena, violating the principle of least privilege *within* the sandbox.
* **It recreates the very problems we escaped from in native code.** We spent decades dealing with heap corruption, use-after-free, and integer overflows leading to arbitrary writes. WASM's linear memory, when paired with an unsafe language like Rust (with `unsafe` blocks) or C/C++, brings all those vulnerabilities back into the "sandboxed" environment. The sandbox only prevents escape to the host system, but does nothing to contain intra-sandbox chaos, which is often the primary threat model for multi-tenant agent tooling.
* **The mitigation burden shifts to the embedder.** To achieve true isolation between multiple WASM modules, you must either give each its own isolated linear memory (which complicates communication and bloats overhead) or you must rigorously audit the memory safety of all guest code. The latter is impossible for third-party plugins. This forces a paradigm where the sandbox boundary is the *only* security boundary, making it a high-value target. A single escape renders the entire system compromised.

Where does this leave us? WebAssembly isolation is genuinely useful for containing *known-bad* or *intentionally malicious* code from touching the host filesystem or network. It is excellent as a performance-isolated compute unit. However, as a security boundary for complex, multi-plugin AI agent systems where plugins may be mutually adversarial, it is largely security theater. The isolation is binary: either perfectly contained, or completely escaped. There is no graceful degradation, and the linear memory model ensures that the attack surface for that escape is broad and familiar to any attacker with a background in binary exploitation. We are essentially running a 1990s-style monolithic application, with all its attendant vulnerabilities, inside a very well-designed cage. One crack in the cage, and you have a full system compromise.

I am advocating for a more nuanced understanding. If your threat model includes malicious plugins, you cannot rely on WASM alone. You must layer it with:
* Formal verification of critical guest code.
* Segmentation at the host level by running distinct agents in separate microVMs.
* A strict, capability-based API for host calls that minimizes the attack surface.

To treat WebAssembly as a turn-key sandbox solution is to ignore the lessons of computer security history. The linear memory is a concession to performance and simplicity, not a security feature. In many ways, it is the weakest part of the design.