It even says so right in the abstract:

"Embedding the decoders in each file requires minimal storage (kilobytes) and ensures compatibility on any platform in case native decoders are unavailable."

The idea that software I write today can decode a data file written in ten years using new encodings is quite appealing.

And the idea that new software written to make use of the new encodings doesn't have to carry the burden of implementing the whole history of encoders for backwards compatibility likewise.

Now you have code stored in your database which you don't know what will do when you execute it.

Sounds very much like the security pain from macros in Excel and Microsoft Word that could do anything.

This is why most PDF readers will ignore any javascript embedded inside PDF files.

It gets even better further down the paper!

"In case users prefer native decoding speed over Wasm, F3 plans to offer an option to associate a URL with each Wasm binary, pointing to source code or a precompiled library."

They are not suggesting that the code at the url would be automatically downloaded. It would be up to you to get the code and build it into your application like any other library.

Is this relevant in practice? Say I go to a website to download some data, but a malicious actor has injected an evil decoder (that does what exactly?). They could just have injected the wasm into the website I am visiting to get the data!

In fact, wasm was explicitly designed for me to run unverified wasm blobs from random sources safely on my computer.

Excel, Word and PDF readers weren’t properly sandboxed.