> Something as little as the runtime can just get exploited (which that as happened.) and cause a sandbox escape on the client side.

Sandbox escapes could happen in Javascript too, right? But I don't see people avoiding browsing the web because of that