The JS based C compiler has no access outside the browser sandbox, but it is capable of generating actual executables which could potentially break out of the walled garden. That is why Microsoft ActiveX was deprecated as a security hazard and why their original proprietary browser was known as Internet Exploder.
Why go through the trouble of generating a blob of executable code at runtime rather than just including it in the JS source? The security guarantees are the same.