I'd consider JS and WASM quite a bit more risky from a security standpoint, which is why everyone should refuse loading and executing those by default.

Securing an XSLT 3.0 implementation would be much easier.