You're right that wasm programs can overflow internal buffers in linear memory, which can be dangerous. However, wasm does a lot more than only protect the boundary with the rest of the system, including
* Safe call stack (opaque / managed by the VM, and so uncorruptible).
* Safe control flow (no jumps to unexpected places).
* Safe(r) indirect calls (only methods in the table can be called, and the signature is verified).
However, wasm also lacks a few things, like the ability to write-protect static data (see "Everything Old is New Again: Binary Security of WebAssembly"). Future wasm proposals will hopefully address those things.
* Safe call stack (opaque / managed by the VM, and so uncorruptible).
* Safe control flow (no jumps to unexpected places).
* Safe(r) indirect calls (only methods in the table can be called, and the signature is verified).
However, wasm also lacks a few things, like the ability to write-protect static data (see "Everything Old is New Again: Binary Security of WebAssembly"). Future wasm proposals will hopefully address those things.