What kind of harmful code could you put in WASM? You could return a string that you eval on the javascript side, so the reviewers could possibly ask for the WASM source if they saw the eval, but other than that the purpose of WASM is to be a safe sandbox after all, right?
I'm not familiar with the security guarantees of WASM in the browser but I imagine they're more along the lines of preventing data exfiltration from the browser/OS, it would be difficult to prevent something like abusing your CPU resources to mine Bitcoin in the background for example.
One way to protect yourself from bitcoin mining is to not give a WASM program both an access to get incoming data and send data both into a 3rd party server. Another possibility is to threshold computation power on the WASM interpreter so that there's a limit of opcodes processed.
