Because there will probably be bugs that make it possible to break out of the sandbox and run arbitrary code on the target machine. Just like Java applets.
There's no reason to suspect that browser implementors would sandbox wasm any less strictly than JS. Heck, there's no reason to suspect that they wouldn't just re-use the existing JS sandbox.
Thanks, kibwen. I'll make a stronger statement. By definition, wasm and JS are two syntaxes (initially co-expressive, wasm and asm.js) for one VM.
Do people actually read docs any longer? https://github.com/WebAssembly/ has some, my blog covered the 1VM requirement. There won't be a new "sandbox". JS and wasm interoperate over shared objects.
