That is not the case although Web Assembly advocates sell it otherwise, thankfully security researchers are now finally caring to have a deeper look into their claims.
Sandboxing is only part of the solution, it doesn't protect all possible attack vectors.
For example, bounds checking is only enforced on the boundaries of the linear memory segment, not inside it.
So if you have a Web Assembly module, originally written in C, where all memory allocations get mapped into a single linear memory segment, there is no protection against possible corruption of neighbouring data structures.
With this in mind you can indirectly attack a module by providing data to the public APIs that would eventually change the expected results, for example returning an admin token for a security module, instead of a regular one that the API was expected to return for then given user id.
Sandboxing is only part of the solution, it doesn't protect all possible attack vectors.
For example, bounds checking is only enforced on the boundaries of the linear memory segment, not inside it.
So if you have a Web Assembly module, originally written in C, where all memory allocations get mapped into a single linear memory segment, there is no protection against possible corruption of neighbouring data structures.
With this in mind you can indirectly attack a module by providing data to the public APIs that would eventually change the expected results, for example returning an admin token for a security module, instead of a regular one that the API was expected to return for then given user id.