WASI aims to bring cross-platform, sandboxed executables using webassembly as the base to non-browser systems https://github.com/CraneStation/wasmtime/blob/master/docs/WASI-overview.md
It's also ocap-based so there's some hope for security actually working.
However Ben Laurie (who worked on Capsicum) argues that since we have something resembling a clean slate, why try to build it on a broken POSIX'y type design? (Article also talks about how and why containers continue to break their own sandboxing) https://medium.com/@benlaurie_18378/how-to-ruin-a-perfectly-good-container-d33250fca595
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!