TL;DR: depending on your use case and defintion of "safe" in most general prupose cases they can be assumed to be "in general" as safe as the other.
For the sandbox it's hard to say, lets just say for most considerations they can be treated as "as safe" as the other.
But many vulnerabilities had been in APIs interacting with external resources, I/O etc.And currently in the browser that in general goes through JS, so some would say JS is more secure.
But it's not that a WASM engine can't provide such APIs to WASM without going through JS (e.g. see WASI) and weather it's WASM or JS they semantically only have access to this APIs through their engine which can guard/filter/limit/etc. the APIs however it wants (i.e. you can't call the systems libc function directly or anything like that).
So in general I would say the question if one is "safer" then the other is meaningless.
Especially if we compare a custom JS only vs. WASM only sandbox which doesn't have DOM and all the old JS browser APIs. Through with this APIs you could say WASM is slightly more save.
There are also some other interesting considerations like e.g. in JS you have eval (and DOM to do eval in a roundabout way) but then in WASM you have memory safety issues (depending on the source language, through due to WASM design they are much much less abusable then in native C, but they still can involve vulnerabilities leading to affecting program behavior in a way which can be a security issue, e.g. overflow overwriting a "valid" flag or similar).
Anyway if asked "in general" I think there is no meaningful answer outside of treat it as the same.
But if you have specific use-cases/needs things might differ.
For the sandbox it's hard to say, lets just say for most considerations they can be treated as "as safe" as the other.
But many vulnerabilities had been in APIs interacting with external resources, I/O etc.And currently in the browser that in general goes through JS, so some would say JS is more secure.
But it's not that a WASM engine can't provide such APIs to WASM without going through JS (e.g. see WASI) and weather it's WASM or JS they semantically only have access to this APIs through their engine which can guard/filter/limit/etc. the APIs however it wants (i.e. you can't call the systems libc function directly or anything like that).
So in general I would say the question if one is "safer" then the other is meaningless.
Especially if we compare a custom JS only vs. WASM only sandbox which doesn't have DOM and all the old JS browser APIs. Through with this APIs you could say WASM is slightly more save.
There are also some other interesting considerations like e.g. in JS you have eval (and DOM to do eval in a roundabout way) but then in WASM you have memory safety issues (depending on the source language, through due to WASM design they are much much less abusable then in native C, but they still can involve vulnerabilities leading to affecting program behavior in a way which can be a security issue, e.g. overflow overwriting a "valid" flag or similar).
Anyway if asked "in general" I think there is no meaningful answer outside of treat it as the same.
But if you have specific use-cases/needs things might differ.