I'm aware it's not impossible to exploit the current plug-in free browsers we have now. It's still objectively better than before.

Not that I'm satisfied with the current state of browsers mind you. I just think not being forced to install someone's binary blob to look at web content is a net benefit.

Except you can't disable WebAssembly, and you can't control how a SPA is implemented, see Figma for example.

Now you can enjoy Flash like ads using WebAssembly + WebGL, making it all a Phyrric victory.

WebAssembly can absolutely be disabled:

Chromium-based: --js-flags=--noexpose_wasm

Firefox-based: about:config javascript.options.wasm = false

Great now explain that to granny on her phone.

Seems like you're moving the goalposts...

Webassembly is clearly an improvement over the old plugins. For one thing it's a full virtual machine and was designed with sandboxing in mind.

Not at all, I say it can be disabled and stand by it.

Those browser flags aren't something Joe and Jane users are capable to be aware of, can disappear at any time anyway, and are not a thing on mobile devices.

A sandboxing that isn't bullet proof and can still be exploited by triggering memory corruption on the linear memory segment, thus changing decisions based on the data contents.

Joe and Jane also don't know or care what WebAssembly is.