Wasm outright forbids things like GOTO and other potentially insecure features opting instead for structured programming. Java has been the subject of countless security vulnerabilities.
Wasm also has the ability to stream bytecode and validate/compile as it streams (fast parsing was a major design goal) resulting in much faster startup times.
Wasm is easier to integrate into the JIT/VM already shipping in browsers so they don't have to ship two massive engines.
Wasm is a bit lower level which should result in faster execution than the JVM in the future.
goto or lack thereof has nothing to do with wasm's security. It could have added goto tomorrow without breaking the sandbox. Indeed, there are a couple proposals (funclets, multiloop) that are basically dressed up goto.
The Java language doesn't have a goto statement, and so all code is properly structured. A labeled break statement is almost a goto statement, but it still obeys structuring rules -- i.e., you cannot jump into the middle of a loop.
At the bytecode level, all structured constructs get compiled into forms that rely on goto statements. Is this inherently insecure? Should the bytecode require structured programming too? How does this guard against malicious use any more than verified bytecode that relies on gotos?
That doesn’t make code insecure, it’s just extremely powerful and very useful for compilers and optimizations even if wouldn’t be desired in a modern language for issues that gave nothing to do with security.
Wasm also has the ability to stream bytecode and validate/compile as it streams (fast parsing was a major design goal) resulting in much faster startup times.
Wasm is easier to integrate into the JIT/VM already shipping in browsers so they don't have to ship two massive engines.
Wasm is a bit lower level which should result in faster execution than the JVM in the future.
Wasm doesn't require garbage collection.
Wasm has unsigned integers.
Wasm isn't encumbered by Oracle.