WASM is less secure than a regular process boundary, and far less secure than a hypervisor. I'm not sure where you're getting this from? Things like spectre mitigations in CPUs are not doing anything for the likes of WASM, after all, they only target process & ring boundaries. It's why you have to enable COOP and COEP to use thread with WASM - because the security for WASM's threads comes from the CPU enforcing process boundaries, not from WASM's sandbox.
If we are concerned with leakage of user data available in your own web program, then unsafe WASM code is more secure than unsafe code in a hypervisor because it prevents RCE, which results in full control of the hypervisor environment, which also enables transient attacks against the host environment, if there are vulnerabilities in your hypervisor (previously hypervisors had to be patched for Spectre). If we are talking about host platform protection against arbitrary malicious code, information leakage from neighboring processes/tabs, WASM is no different from a process boundary, at least in chrome, because that's how it's implemented. It's an implementation detail independent of WASM. Could as well be implemented with hardware virtualization, but it would make interfacing with browser APIs more expensive, probably to the point of impracticality.
Are you trying to say that code compiled with CFI is less vulnerable than code that wasn't? In which case sure, but that's entirely orthogonal to WASM. Code inside WASM isn't otherwise inherently protected. Code reuse attacks via indirect calls are still possible, as are of course side channel attacks and data leaks.
And since WASM uses linear memory and lacks things like ASLR, the code in the sandbox cannot achieve the same level of protection it could if it was in a hypervisor.
