(no title)

I don't think Firecracker's existence makes WASM's isolation uninteresting. First, I think you are looking at way more resources running a full VM (even a "micro" VM) compared to a WASM runtime. I think startup times are not comparable either, so if that matters you'll find WASM to be the way to go.

Second, WASM's capability-based security model is wonderful for giving the untrusted code the things it needs to work with. With a VM, you have to stitch together with shared directories, virtual eth bridges or, linux capabilities, maybe some cgroups, and who knows what else. (Granted you may need to do some of that with WASM too, but less so).